In 2005, Visa Agreed To Give TJX Until 2009 To Get PCI Compliant
Written by Evan SchumanBack in late 2005, Visa knew of the extensive security problems at TJX but decided to give the retailer permission to remain non-compliant through Dec. 31, 2008, according to documents filed in federal court Thursday.
The Dec. 29, 2005, letter from Joseph Majka, a fraud control vice president for Visa, was written months after cyberthieves had already secretly infiltrated TJX’s systems, starting the work that would ultimately become the worst data breach in credit card history.
Majka wrote the letter to Diana Greenshaw, an official with TJX’s credit card processor, Fifth Third Bank. "Visa will suspend fines until Dec. 31, 2008, provided your merchant continues to diligently pursue remediation efforts. This suspension hinges upon Visa’s receipt of an update by June 30, 2006, confirming completion of stated milestones."
The letter regarding TJX ended with this ironic-in-hindsight line: "I appreciate your continued support and commitment to safeguarding the payment industry."
Apparently, Visa didn’t consider TJX’s later efforts to be "diligently" pursuing remediation efforts because Visa issued $880,000 in fines to Fifth Third Bank—regarding TJX—this summer.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
