Framingham retailer TJX Cos. agreed today to reimburse banks up to $40.9 million as a result of the largest data breach in history, which compromised as many as 100 million credit- and debit-card accounts before it was discovered at the end of last year.
TJX, the parent of discount chains including TJ Maxx and Marshalls, reached a deal with the credit-card network Visa Inc. to pay for the cost of reissuing cards and covering fraud losses at Visa's member banks, the two companies said. TJX also said it would agree to help promote new security standards that Visa, MasterCard Inc., and banks have struggled to persuade merchants to accept.
In return, the banks would agree not to sue TJX or its partners, and Visa would suspend some fines it levied over the breach, the companies said.
The unprecedented terms demonstrate that retailers, banks, and card companies realize they must stop blaming each other for security lapses in an industry that handled $3.5 trillion worth of transactions last year, said Mary Monahan, partner at Javelin Strategy & Research in California. "We have a merchant and a card companies saying, let's end the finger-pointing here,'' Monahan said.
"Basically, they're recognizing consumers are tired of these data breaches and want to be protected,'' Monahan said. In a recent survey of 1,200 debit- and credit-card users, Javelin found that 40 percent of the people surveyed had at least one card compromised in the past year, a level that could potentially erode confidence in the payment networks.
In a statement Ellen Richey, Visa's head of global risk management, said "This agreement demonstrates the importance of retailers and the payment card industry working together to protect cardholder data,'' said Ellen Richey, Visa's head of global risk management, in a statement. "We hope one outcome of this resolution is recognition that a greater investment in security is good business.''
TJX president and chief executive Carol Meyrowitz said in a statement that her company has improved its own security since the breach. "We have also learned about the heightened security risks that exist across the entire US retail and banking industries as a result of today's high tech criminals. We believe that cooperative action is required by all banks, payment card companies and merchants to better protect customer payment card data, and we look forward to working together with Visa to further this goal.''
Visa is the largest of the payment card networks with more than 1.6 billion cards in circulation. Monahan said she expects MasterCard Inc. may now make a similar deal with TJX and banks. A MasterCard spokesman said it wouldn't comment.
Banks that are part of the Visa network and account for at least 80 percent of the accounts affected by the TJX breach must accept the agreement before it becomes valid.
TJX's breach had become a flashpoint for the payments industry amid a growing threats from hackers. Beginning in January, the company and outside investigators disclosed how as-yet-unknown intruders were able to penetrate the store's data network, apparently by intercepting wireless transmissions at stores in Florida, and download account numbers that have since been used to conduct fraudulent purchases worldwide. So far the only convictions in the investigation involve a group of low-level criminals in Florida that used some of the numbers to make purchases at local chain stores.
The company still faces lawsuits from New England banks seeking to recover the costs of issuing cards following the breach. Filings in that case showed that Visa had issued $880,000 in penalties against the bank that processed payments at TJX stores, Fifth Third Bancorp of Ohio, citing the stores' security failures. Other filings in that case revealed numerous computer-security problems at TJX, including a lack of firewalls to protect data and a reliance on an outdated wireless-security protocol that is more vulnerable to hackers.
As part of today's deal, Visa said it would waive certain fines against Fifth Third and move the money into the broader recovery fund. The fund is meant to cover the costs banks faced for fraud losses and expenses like reissuing cards, though a Visa spokeswoman declined to give details on the total costs to banks. Visa said banks could expect more payments if they agreed to the deal than they could expect under existing anti-fraud programs.
Another part of the deal would have TJX help promote tougher security standards that Visa and other card networks wanted large merchants to meet by Sept. 30 of this year. Only 65 percent did so, according to Visa's most recent figures.
TJX had previously said it faced costs of $256 million as a result of the breach, and that it has set money aside for those costs. Today, it said its estimates included the potential $40.9 million payment to banks.
