http://www.boston.com/business/globe/articles/2007/12/01/tjx_agrees_to_reimburse_banks/ By Ross Kerber Globe Staff The Boston Globe December 1, 2007 Framingham retailer TJX Cos. agreed to reimburse banks up to $40.9 million as a result of the largest data breach in history, which compromised as many as 100 million credit and debit card accounts before it was discovered at the end of last year. TJX, the parent of discount chains including TJ Maxx and Marshalls, reached a deal with credit card network Visa Inc. to pay some of the costs of reissuing cards and covering fraud losses at banks that issue Visa products, the two companies said yesterday. TJX also said it would help promote new security standards that Visa, MasterCard Inc., and banks have struggled to persuade merchants to accept. In return, the banks would agree not to sue TJX or its partners, and Visa would suspend some fines it levied after the breach, the companies said. The unprecedented terms demonstrate that retailers, banks, and card companies realize they must stop blaming one another for security lapses in an industry that handled $3.5 trillion worth of transactions last year, said Mary Monahan, partner at Javelin Strategy & Research in California. "We have a merchant and a card company saying, let's end the finger-pointing here," Monahan said. "Basically, they're recognizing consumers are tired of these data breaches and want to be protected," Monahan said. In a recent survey of 1,200 debit and credit card users, Javelin found 40 percent of the people surveyed had at least one card compromised in the past year, a level that could potentially erode confidence in the payment networks. In a statement, Ellen Richey, Visa's head of global risk management, said, "This agreement demonstrates the importance of retailers and the payment card industry working together to protect cardholder data. . . . We hope one outcome of this resolution is recognition that a greater investment in security is good business." TJX president and chief executive Carol Meyrowitz said in a statement her company has improved its own security since the breach. "We have also learned about the heightened security risks that exist across the entire US retail and banking industries as a result of today's high tech criminals. We believe that cooperative action is required by all banks, payment card companies and merchants to better protect customer payment card data, and we look forward to working together with Visa to further this goal." Visa is the largest of the payment card networks, with more than 1.6 billion cards in circulation. Yesterday's terms were unique, Monahan said, since negotiations following a data breach rarely include a direct deal between a merchant and a card network. Monahan said she expects MasterCard may make a similar deal with TJX and banks. A MasterCard spokesman said it wouldn't comment. Banks that are part of the Visa network and make up at least 80 percent of the accounts affected by the TJX breach must accept the agreement before it becomes valid, and it would not cover some foreign losses. TJX's breach had become a flashpoint for the payments industry amid a growing threat from hackers. Beginning in January, the company and outside investigators disclosed how intruders were able to penetrate the store's data network, apparently by intercepting wireless transmissions at stores in Florida, and download account numbers that have been used to conduct fraudulent purchases worldwide. So far the only convictions involve a group of low-level criminals in Florida that used some of the numbers to make purchases at local chain stores. TJX has said at least 45.7 million payment card numbers were compromised. Visa and MasterCard won't comment, but the total impact of up to 100 million compromised accounts is spelled out in court filings recently unsealed. TJX still faces lawsuits from New England banks seeking to recover the costs of issuing cards following the breach. Filings in that litigation showed Visa had issued $880,000 in penalties against the bank that processed payments at TJX stores, Fifth Third Bancorp of Ohio, citing the stores' security failures. Other filings in that case described numerous computer-security problems at TJX, including a lack of firewalls to protect data and a reliance on an outdated wireless-security protocol that is more vulnerable to hackers. As part of yesterday's deal, Visa said it would waive certain fines against Fifth Third and move the money into the broader recovery fund. The fund is meant to cover the costs banks faced for fraud losses and expenses like reissuing cards, though a Visa spokeswoman declined to give details on the total costs to banks. Visa said banks could expect more reimbursement if they agreed to the deal than they could expect under existing antifraud programs. Fifth Third also is part of the settlement. Another part of the deal would have TJX help promote tougher security standards that Visa and other card networks wanted large merchants to meet by Sept. 30 of this year. Only 65 percent did so, according to Visa's most recent figures. TJX had previously said it faced costs of $256 million as a result of the breach, and it has set money aside for those costs. Yesterday, it said its estimates included the potential $40.9 million payment to banks. Copyright 2007 Globe Newspaper Company. __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Sun Dec 02 2007 - 22:38:41 PST