TJX facing customer complaints, possible fines by credit-card firms

TJX Cos. may be fined over its recent loss of customer credit- and debit-card data, say industry consultants, in a case shaping up as the first major test for a new Wakefield organization set up by Visa International and MasterCard Inc. to combat fraud.

Merchants who accept credit cards are supposed to comply with a new international data standard put in place by a group called the Payment Card Industry Security Standards Council, created in the fall with a dozen employees. Its board includes representatives from Visa, MasterCard, Discover Financial Services, and American Express Co.

The standard lays out how much data companies such as retailers and restaurants can collect and how long they can keep it on file, among other things. The goal is to minimize how much data thieves might find. But compliance rates are notoriously low: Visa says just 31 percent of large merchants have met the requirement.

Financial-services executives have said TJX was among the laggards, which could lead to fines of up to $500,000. TJX spokeswoman Sherry Lang declined to comment.

Seana Pitt, an American Express vice president who chairs the standards council, said the TJX matter is "a wake-up call for the industry" and said it reinforces why merchants should improve their security. Pitt acknowledged many have made slow progress to date but said many merchants are working hard on the issue. "The numbers themselves do look dismal, but it's not as bad as it seems," she said.

TJX, which operates T.J. Maxx, Marshalls, and other stores, revealed on Wednesday that its computer systems had been hacked and that may have compromised millions of customer credit- and debit-card accounts it had on file dating to 2003.

Pitt declined to discuss how card companies might act against TJX, but generally fines against companies that fail to meet past standards have soared in recent years. Visa says it fined companies a total of $4.7 million in 2006, up from $3.4 million in 2005, for instance. Visa and MasterCard may fine institutions that handle card transactions, and those may pass along the fines to retailers.

According to a letter Visa sent to banks and other financial institutions this month, "patterns of counterfeit fraud have been reported on some of the affected accounts" of TJX customers and Visa is weighing what "corrective action" it might take. In all, the breach involves millions of card accounts, the letter said.

Avivah Litan, technology analyst for Gartner Group, said fines are likely against any company that loses data.

But since banks must cover the cost of these breaches, which can reach into the tens of millions of dollars, the case also has blown up into a rare public squabble between industries over which entity should assume financial responsibility for consumer fraud.

"That's why you're hearing so much about this, the banks want their money back," Litan said.

Groups like the Massachusetts Bankers Association have criticized TJX over its security practices, and banks have cance led thousands of cards as a result. Yesterday, a spokeswoman for Fifth Third Bancorp in Cincinnati confirmed it was one of the banks that processed card transactions for TJX. She said TJX used other banks as well.

But others say that banks themselves are partly responsible for the problems, since they have pressed hard for retailers to switch to debit cards to save the costs of processing paper checks. Jon B. Hurst, president of the Retailers Association of Massachusetts, said banks on average charge merchants 2 percent of every transaction to accept debit-card payments, but haven't insisted on higher security measures for their cards.

"I get aggravated when they start complaining," Hurst said. TJX is a member of his trade group.

David Robertson, publisher of The Nilson Report, a payments industry newsletter, said some card companies themselves deserve blame for not pressing banks to insist on tighter security from retailers because they don't want to lose any as customers.

"The problem is Visa and MasterCard have these deadlines, but they haven't put the screws on the banks," he said.

Ross Kerber can be reached at kerber@globe.com. Globe reporter Jenn Abelson contributed to this report.