TJX agrees to reimburse banks

TJX agrees to reimburse banks
TJX agrees to reimburse banks 

By Ross Kerber
Globe Staff 
The Boston Globe
December 1, 2007

Framingham retailer TJX Cos. agreed to reimburse banks up to $40.9 
million as a result of the largest data breach in history, which 
compromised as many as 100 million credit and debit card accounts before 
it was discovered at the end of last year.

TJX, the parent of discount chains including TJ Maxx and Marshalls, 
reached a deal with credit card network Visa Inc. to pay some of the 
costs of reissuing cards and covering fraud losses at banks that issue 
Visa products, the two companies said yesterday. TJX also said it would 
help promote new security standards that Visa, MasterCard Inc., and 
banks have struggled to persuade merchants to accept.

In return, the banks would agree not to sue TJX or its partners, and 
Visa would suspend some fines it levied after the breach, the companies 

The unprecedented terms demonstrate that retailers, banks, and card 
companies realize they must stop blaming one another for security lapses 
in an industry that handled $3.5 trillion worth of transactions last 
year, said Mary Monahan, partner at Javelin Strategy & Research in 
California. "We have a merchant and a card company saying, let's end the 
finger-pointing here," Monahan said.

"Basically, they're recognizing consumers are tired of these data 
breaches and want to be protected," Monahan said. In a recent survey of 
1,200 debit and credit card users, Javelin found 40 percent of the 
people surveyed had at least one card compromised in the past year, a 
level that could potentially erode confidence in the payment networks.

In a statement, Ellen Richey, Visa's head of global risk management, 
said, "This agreement demonstrates the importance of retailers and the 
payment card industry working together to protect cardholder data. . . . 
We hope one outcome of this resolution is recognition that a greater 
investment in security is good business."

TJX president and chief executive Carol Meyrowitz said in a statement 
her company has improved its own security since the breach. "We have 
also learned about the heightened security risks that exist across the 
entire US retail and banking industries as a result of today's high tech 
criminals. We believe that cooperative action is required by all banks, 
payment card companies and merchants to better protect customer payment 
card data, and we look forward to working together with Visa to further 
this goal."

Visa is the largest of the payment card networks, with more than 1.6 
billion cards in circulation. Yesterday's terms were unique, Monahan 
said, since negotiations following a data breach rarely include a direct 
deal between a merchant and a card network. Monahan said she expects 
MasterCard may make a similar deal with TJX and banks. A MasterCard 
spokesman said it wouldn't comment.

Banks that are part of the Visa network and make up at least 80 percent 
of the accounts affected by the TJX breach must accept the agreement 
before it becomes valid, and it would not cover some foreign losses.

TJX's breach had become a flashpoint for the payments industry amid a 
growing threat from hackers. Beginning in January, the company and 
outside investigators disclosed how intruders were able to penetrate the 
store's data network, apparently by intercepting wireless transmissions 
at stores in Florida, and download account numbers that have been used 
to conduct fraudulent purchases worldwide. So far the only convictions 
involve a group of low-level criminals in Florida that used some of the 
numbers to make purchases at local chain stores.

TJX has said at least 45.7 million payment card numbers were 
compromised. Visa and MasterCard won't comment, but the total impact of 
up to 100 million compromised accounts is spelled out in court filings 
recently unsealed.

TJX still faces lawsuits from New England banks seeking to recover the 
costs of issuing cards following the breach. Filings in that litigation 
showed Visa had issued $880,000 in penalties against the bank that 
processed payments at TJX stores, Fifth Third Bancorp of Ohio, citing 
the stores' security failures. Other filings in that case described 
numerous computer-security problems at TJX, including a lack of 
firewalls to protect data and a reliance on an outdated 
wireless-security protocol that is more vulnerable to hackers.

As part of yesterday's deal, Visa said it would waive certain fines 
against Fifth Third and move the money into the broader recovery fund. 
The fund is meant to cover the costs banks faced for fraud losses and 
expenses like reissuing cards, though a Visa spokeswoman declined to 
give details on the total costs to banks. Visa said banks could expect 
more reimbursement if they agreed to the deal than they could expect 
under existing antifraud programs. Fifth Third also is part of the 

Another part of the deal would have TJX help promote tougher security 
standards that Visa and other card networks wanted large merchants to 
meet by Sept. 30 of this year. Only 65 percent did so, according to 
Visa's most recent figures.

TJX had previously said it faced costs of $256 million as a result of 
the breach, and it has set money aside for those costs. Yesterday, it 
said its estimates included the potential $40.9 million payment to 

Copyright 2007 Globe Newspaper Company.

Visit InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods