TJX’s Settlement with Visa Casts Light on Murky World of PCI Penalties

The settlement The TJX Cos. and Visa Inc. announced Friday not only shows the retailer is well on its way to disposing of the myriad problems arising out the intrusion into its computer system that potentially compromised nearly 100 million credit and debit cards, but it also gives a rare glimpse into the secretive realm of penalties networks use to enforce rules for protecting cardholder data. As part of the settlement, Visa will forgo imposing pending fines on Fifth Third Bancorp, TJX's U.S. acquirer, and rescind another, and has restored a favorable interchange rate to TJX that saved the Framingham, Mass.-based retailer an estimated $210,000. Networks such as Visa and MasterCard Inc. reserve the right to fine acquiring banks when their merchants violate the Payment Card Industry data-security standard, or PCI?the card networks' set of rules for protecting cardholder data. Normally, acquirers pass on such fines to the offending merchant. Neither TJX nor Fifth Third has discussed fines arising from the data breach TJX disclosed last January, but a filing TJX made with the Securities and Exchange Commission detailing the settlement's provisions sheds some light on the Visa fines. According to documents filed by financial institutions in their suit against TJX for recovery of breach-related costs, those fines have amounted to $880,000 (Digital Transactions News, Dec. 12, 2006 and Aug. 15). The new TJX filing says that based on an October report from Fifth Third about TJX's PCI status, Visa agreed to suspend pending fines of up to $225,000 not yet collected from Fifth Third for the bank's alleged failure to ensure TJX's compliance with PCI by a Sept. 30, 2007 deadline. The violations included storage of magnetic-stripe data that merchants aren't supposed to keep. The filing also says that Visa's board of directors, when it considers the fines Fifth Third is appealing, “at a minimum” will rescind a $500,000 “egregious-violation” fine, provided that Visa issuers approve the settlement agreement. TJX has said that it has improved its computer security since the breach and is now fully compliant with PCI. “Visa and TJX agreed to the suspended and rescinded fines in part because it would increase the funds available in the [settlement's] alternative recovery program,” says a Visa release. Further, Visa on Oct. 18 restored interchange rates for TJX to levels existing before a change on Oct. 13 and made them effective “on an accelerated basis” 21 days earlier than normally would have been the case, the filing says. That saved TJX $10,000 a day during the three-week period. Interchange is the amount of a bank card transaction assessed to the acquirer and paid to the card issuer, with acquirers usually passing on the cost in full to merchants. Although spokespersons for Visa and TJX either would not discuss the matter or did not return calls for clarification, the filing apparently is referring to Visa's PCI so-called compliance-acceleration program, which penalizes non-compliant merchants by depriving them of volume-based interchange breaks (Digital Transactions News, Dec. 12, 2006). Under the settlement agreement, TJX and Visa are presenting Visa issuers with a so-called alternative recovery offer under which TJX will pay up to $40.9 million in pre-tax funds to compensate U.S. Visa issuers for breach-related expenses, provided they agree not to sue TJX or seek any other form of recovery from TJX, Fifth Third, or Visa. The offer needs approval from issuers representing 80% of the eligible accounts by Dec. 19. Visa did not disclose the total number of eligible accounts. Issuers will be paid by Dec. 27. TJX said it has already accounted for the settlement's costs as part of a $107 million after-tax charge it took in its fiscal 2008 second quarter ended July 28. “We believe this settlement agreement provides a fair resolution of these issues, and look forward to a high issuer acceptance of the proposal,” TJX president and chief executive Carol Meyrowitz said in a news release. “At TJX, we have learned a great deal about the risks of cyber attacks and have responded aggressively to take our own security to even higher levels.” In a written statement, a spokesperson for Cincinnati-based Fifth Third added, “We believe the alternative recovery offer, which is recommended by Visa under the terms of the agreement, provides for a fair recovery for eligible U.S. Visa issuers.” TJX also got some good legal news on Thursday when a federal judge in Boston denied the plaintiff financial institutions' petition for class status, meaning that banks and credit unions seeking compensation for breach-related card-reissuance costs or counterfeit card fraud losses will have to sue TJX individually. While the institutions have a few weeks to appeal that ruling, it clearly reduces TJX's legal problems should it stand. TJX earlier settled a consumer class action arising from the breach, but it still faces investigations by state attorneys general and the Federal Trade Commission. The settlement agreement does impose one unusual requirement on TJX: the retailer at the center of the biggest hack of cardholder data in history must promote PCI for two years. “TJX will serve on at least four occasions during the 24-month period following the date of this settlement agreement as a spokesperson in support of the goals of the Payment Card Industry Data Security Standards and the security of payment card information,” the TJX filing says. The document doesn't give any details about what TJX will do in the role. Visa also will offer TJX's acquirer the right to participate in at least one test of new card-security technology in the next two years. “TJX will be relieved to put a large part of this behind them even if they have to suffer a loss in pride by becoming a PCI spokescompany,” says technology analyst Avivah Litan of Stamford, Conn.-based Gartner Inc.