TJX Proposes $40.9 Million Settlement With Visa Inc. In the Largest Data Breach of 94 Million Cardholders

Implications: TJX's data breach stretched from the U.S. to Canada and as far as the Ukraine, when one of the ring leaders was arrested for his role in TJX's data card breach. Reports first surfaced that more than 45 million cardholders had been affected, however, after Visa's investigation, the number more than doubled to over 94 million affected cardholders. As part of the proposed settlement Visa will not impose pending fines on TJX's U.S. acquirer, Fifth Third Banc and Visa will also rescind up to $225,000 in fines not yet collected from Fifth Third Banc for failing to ensure TJX's compliance with PCI DSS by the 9.30.07 deadline. When the Payment Card Industry Data Security Standards were established the card networks (Visa, MasterCard, AmEx and Discover) reserved the right to fine acquiring banks when their merchants violate the PCI DSS and acquirers typically pass those fines onto the merchant. Visa has also restored TJX to a favorable interchange rate which may save TJX as much as $200,000+.

Analysis: TJX will take its rightful place as "poster company" for the PCI DSS (Payment Card Industry Data Security Standards) over the next two years as it eats crow and serves as the example not to follow on its promotional tour to support the goals of the PCI DSS, which is to secure and protect payment card data. The card networks Visa, MasterCard, AmEx and Discover established the PCI DSS to ensure merchants and their acquirers followed certain security protocols to prevent data breaches and protect cardholder data.  Apparently, hackers roamed freely for over 18 months on TJX's network which ultimately led to over 94 million credit and debit cardholders affected by TJX's data breach.  

1.  TJX may have avoided the data breach if they had followed all of the requirements set forth by PCI DSS which include: 1. install and maintain a firewall configuration to protect cardholder data 2. do not use vendor supplied defaults for system passwords and other security parameters 3. protect stored cardholder data 4. encrypt transmission of cardholder data across open, public networks 5. use and regularly update anti-virus software 6. develop and maintain secure systems and applications 7. restrict access to cardholder data by business need to know 8. assign a unique ID to each person with computer access 9. restrict physical access to cardholder data 10. track and monitor all access to network resources and cardholder data 11. regularly test security systems and processes and 12. maintain a policy that addresses information security

2.  TJX also received some relief in Boston's Federal Court where the financial institutions plaintiffs filed class action status, however, the judge presiding over the case denied the plaintiffs petition for "class action status," which means the financial institutions seeking compensation for breach related card reissuance costs/losses will have to sue TJX individually. The financial institutions can appeal the decision and should it stand, TJX's legal problems are reduced considerably

Takeaway:  Apparently, TJX only followed three of the 12 PCI DSS requirements and TJX must still face the music with other investigations by the Federal Trade Commission (FTC) and a multi-state probe being led by the MA Attorney General. Canada is also investigating TJX to determine how widespread the breach has affected cardholders in Canada and the total cost of the TJX data breach could surpass $1 billion.