FRAMINGHAM, Mass. — Credit unions that issue Visa had their chance in late 2007 to get back some of the money they lost in the TJX card security breach. Now MasterCard issuing credit unions will have their chance.
TJX has offered to pay up to $24 million in aggregate to MasterCard issuers that had card data compromised in the company's enormous card data theft that came to light in early 2007. The arrangement is similar in some respects to a previous offer made to Visa issuers.
In that deal TJX, the parent company for the TJ Maxx and Marshalls retail chains, offered Visa issuers over $40 million in an settlement offer in November 2007 for damages from the breach. Issuers, including credit unions that chose to participate, received a portion of the $40 million as payment for some of the costs they incurred because of the security failure. The offer's advantages included getting at least some of their money back in a more timely manner. The disadvantages included forgoing the right to any further litigation.
Recommended For You
Essentially, MasterCard issuing credit unions now face the same decision: whether to accept the offer to recapture at least some of the resources they lost in the TJX card breach and give up any claim to anything else or, instead, refuse the offer in favor of what might be a very lengthy and expensive legal battle to regain more of their losses.
There is no way to know how many credit unions issuing Visa cards were damaged in the TJX breach and took the offer, although a majority must have because 95% of affected Visa card issuers accepted the offer in the end. The MasterCard deal has a higher requirement but roughly the same time frame. In the original Visa deal, media outlets reported that 80% of affected issuers had to agree for the negotiation to proceed. In the MasterCard deal, over 90% have to agree. MasterCard issuing credit unions with damages included in the offer have until April 29 to decide, mimicking the roughly one-month time frame that Visa issuers had to make their decision.
"This agreement reflects MasterCard's continuing commitment to working with merchants and our customers to reach appropriate and fair resolutions of data breach events," said Joshua Peirez, chief payment system integrity officer for MasterCard Worldwide. "We believe that by working closely and cooperatively with issuers and merchants, we can reduce the overall impact and costs of security breaches, while protecting consumers and accelerating fair and equitable resolutions of claims."
Executives from MasterCard who helped put the deal together have been briefing executives from credit union trade associations and card processing CUSOs about the terms of the offer. The impact will likely be as varied as the credit unions involved, association executives reported.
A spokesman for Card Services for Credit Unions, the association of credit unions that process card transactions with Fidelity National Information Systems, estimated that as few as 10% of the association's members issue MasterCard but added that it included some of the association's largest member credit unions. Other associations and CUSOs reported having higher percentages of MasterCard issuing member credit unions.
Executives from larger MasterCard issuing credit unions impacted by the TJX breach confirmed their CUs had been contacted about the breach but refrained from commenting on the record until after their institutions finalized their decision to take the deal or not. A number expressed dissatisfaction with idea that any monetary settlement will be able to restore the damage their relationships with their members took because of the breach.
Robert Hackney, CSCU President, pointed out as well that the MasterCard offer was significantly different that Visa's.
"Visa looked at all the counterfeit losses for the issuers involved in the event, applied a baseline percentage of normal fraud losses and subtracted that percentage to arrive at the TJX incremental fraud losses, which determined the payout," Hackney noted.
By contrast, MasterCard is only including issuers that submitted a formal claim for reimbursement for operating expenses or filed a compliance case for a violation of magnetic stripe storage regulations, in effect a stricter standard. CSCU submitted issuer claim reimbursements on behalf of any CSCU-sponsored MasterCard issuers.
"While the payout is not what we would have hoped, at least our MasterCard members who did submit a claim will receive some type of recovery. The only other recourse would be litigation, which could go on for quite some time with no guarantee of recovery," he said.
TJX reported the extensive breach in early 2007, but added that the breach had gone on for some time before it was discovered. Media reports have estimated that 455,000 cardholders have had their card data stolen in the breach and millions had their data potentially compromised.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
