SAN FRANCISCO -- Eager to put the largest retail card security breach in history behind itself and the industry, TJX Companies has put forward a plan that will allow credit unions and other card issuers to receive compensation more quickly for damages they've suffered.
Under the terms of the deal, the retailer--the parent corporation for TJ Maxx, Marshalls and other retail chains in the U.S., Canada and the United Kingdom, along with its acquiring bank--will put up to $40.9 million to fund the payments for the breach, more details of which have only recently come to light (see story on page 26).
The agreement will require that more than 80% of card issuers that suffered damage as a result of the breach agree to accept the payment agreement in order for it to be finalized. Accepting payment will mean releasing TJX and its acquiring bank from liability and future claims. It will also allow credit unions to receive at least partial compensation for their losses without long legal battles.
"We believe issuers will benefit greatly by participating in this program because it offers immediate recovery on their data breach claims," said Ellen Richey, head of global risk management for Visa Inc. "This agreement demonstrates the importance of retailers and the payment card industry working together to protect cardholder data. Additionally, it's clear the impact of a data compromise harms all payment system stakeholders--merchants, banks and consumers alike. We hope one outcome of this resolution is recognition that a greater investment in security is good business."
Retail analysts refrained from speaking for the record about the deal because it has not been fully disclosed. But they estimated that the accelerated timeline for resolving the matter provided incentive for TJX to offer the settlement, and will encourage many card issuers--particularly smaller ones such as credit unions--to take it.
"TJX just wants this off their books and behind them," observed one, adding that the company was taking a gamble that enough card issuers would be willing to take at least some money on the table than risk wading through ongoing legal battles."
Visa sweetened the agreement for TJX and its acquiring bank by agreeing to drop and suspend a part of the fines it levied on the bank for its role in the breach, though the company declined to say how much of the fine would be suspended. Since it is in the quiet period prior to its initial public offering of stock, Visa also declined to take questions on its part of the arrangement.
Visa's announcement also hinted that the card brand had an interest in showing that the industry could handle and prevent these sorts of breaches.
The card brand noted that it has led the industry in driving merchant compliance with the Payment Card Industry Data Security Standard (PCI DSS). In less than 18 months, Visa reported that it has been able to drive compliance among the largest U.S. merchants from about 12% in March 2006 to 66% in Oct. 2007 through a multi-tiered strategy of fines, incentives and education.
"We've made steady progress in accelerating merchant compliance with PCI standards to protect cardholder information and reduce the cost and impact of fraud," remarked Richey. "Security is a shared responsibility and this progress demonstrates that many of the largest participants in the system understand their role and responsibility for protecting this information."
Greg Smith, CEO of the $2.8 billion Pennsylvania State Employees Credit Union, said his credit union has not yet received an offer of what the settlement would mean financially but said he doubted whether it would cover all the CU's losses. In related news, he and PSECU are waiting, he said, for an appeals court decision which might go the credit union's way in its battle with BJ's Wholesale Club, the source of previous big card security breach. "What the third circuit court says could make a big difference in all this," he said.
CUNA Mutual welcomed the deal but said it would hold off evaluating it. "We don't know the details yet as to what portion of their losses the credit unions will be entitled to recover through this process to assess whether this represents fair compensation for those losses. Once this information becomes known, credit unions, and CUNA Mutual, will be in better position to make that assessment," a CUNA Mutual spokesman said.
Visa will be notifying issuers about how they can take part in the payments. Institutions will have about 10 days from the date of that notification to make a decision.