TJX Victories From Judge, Visa

Written by Evan Schuman
November 30th, 2007

In a pair of crucial decisions, TJX has moved quite close to completely clearing itself of the lawsuits from the world’s worst credit card data breach.

Those two rulings came from the federal judge overseeing the case—who refused to approve making the case a class-action—and from Visa, which said it would reduce its fine of TJX in exchange for the retailer paying banks as much as $40.9 million.

On Thursday afternoon, U.S. District Court Judge William Young denied the request to grant the bank class action certification request, ruling that the many of the banks’ situations were too different from each other. Some of the banks had the expense of reissuing the cards while others didn’t, for example.

That decision is quite likely to stand, but there are two possibilities for it to change. The U.S. Court of Appeals could overrule Young. Attorneys for the banks have 10 days from Thursday to file that appeal.

The judge himself added a footnote to his decision that his decision "will need to be reassessed" after he makes a decision on arguments he’ll hear on Dec. 11. Those arguments involve a Massachusetts Fair Trade statute (Chapter 93A).

Assuming the judge’s decision stands, it could all-but-kill the banks’ actions against TJX because each bank would have to independently pursue litigation against TJX. That’s going to be much more expensive than merely being a part of a large class-action effort and those banks have already spent money on the initial case.

Further complicating whether any of the plantiff banks would pursue independent lawsuits was a Friday statement issued jointly by TJX and Visa. Here’s the full text of the Visa/TJX Agreement.

That Visa/TJX statement said that Visa would forgive "a portion" of the $880,000 that Visa had imposed on TJX’s credit card processor. In exchange, TJX will pay an unspecified amount—all that the two said was that it wouldn’t exceed $40.9 million—to an unspecified number of plaintiff banks.

The deal won’t happen unless it’s signed off on by "financial institutions representing 80 percent of the eligible U.S. Visa accounts affected by the data compromise," the TJX/Visa statement said.

To get any of the money, each bank would have to agree to not sue. That’s why the Visa statement is so closely connected to the judge’s class-action decision.

Banks have until Dec. 19 to accept the deal, the agreement said.

Visa has agreed to suspend any fines that are pending against TJX. "In addition, when Visa’s Board of Directors rules on the pending appeal of the fines previously imposed on Fifth Third, the Board will at a minimum rescind the $500,000 Egregious Violation fine, based on the totality of the circumstances known to Visa, including the pre-breach conduct and post-breach efforts of Fifth Third and TJX and their decisions to enter into this Settlement Agreement," the agreement said.

Visa also agreed to restore TJX’s credit and debit card interchange fee rates and it did more quickly than it would typically would have. "Such acceleration having reduced the interchange fees paid by TJX by an estimated approximately $10,000 per day," the agreement said.

Visa also promised to let TJX "participate in at least one pilot program of an appropriate security-related payment card technology, if any, that Visa introduces for or makes available for piloting by any merchants in TJX’s class within the United States during the twenty-four month period following the date of this Settlement Agreement."

TJX also had to endure some pain, as the contract required that "TJX will serve on at least four occasions during the twenty-four month period following the date of this Settlement Agreement as a spokesperson in support of the goals of the Payment Card Industry."

Industry observers noted the timing of the movement, that the Visa deal was agreed to and filed with the SEC the same day as the judge’s class action decision was filed. To resolve this case in the middle of the holiday shopping season would be helpful to retailers. Many of the banks would rather have this distracting case off of their plates as well and Visa is in the middle of a $10 billion IPO and would also rather have this case no longer hanging on.

"It’s in everyone involved’s best interest for this to go away. No one wants consumers to return to using cash or checks, so I think everyone would just like it to go away," said Paula Rosenblum, a retail analyst with Retail Systems Research. "After all, outstanding litigation is not good for IPO’s, either."

Rosenblum’s associate at Retail Systems Research, Brian Kilcourse, agreed, but added that it’s still a mixed bag for the financial players.

"As to whether this is good for the issuing banks or not, I’m not sure it’s such a good deal. Consider: as many as 96 million card numbers were exposed to compromise–and something more than 40 million were actually compromised. Security experts estimate that the total per card cost to issuing banks is something in the $25-35 dollar range. So $40 million doesn’t begin to cover the true exposure."

Judge Young’s decision to not support a class action certification was based on a wide range of factors. One key issue was whether these banks reissued their customers’ cards because of the databreach or because of generic fraud risks.

Another key issue is whether TJX misled the banks about whether it was adequately protecting its data. The judge focused on whether banks believed what TJX said and whether they made important decisions based on those statements.

"The record before this Court raises significant questions about whether there was in fact class-wide reliance on TJX and Fifth Third’s alleged misrepresentations. For instance, some banks appear to have considered only one factor — the need to keep up with the competition — when making their decisions about card issuance," Young wrote. "Another bank suggested that, at least in some situations, a merchant’s failure to comply with data security standards would not cause the bank to alter its behavior. Yet another issuing bank indicated that its beliefs about TJX’s security, whatever they may have been, did not influence what security steps it adopted. Furthermore, there is evidence that Visa informed at least some issuing banks that many merchants fail to comply with data security standards."

The judge also expressed concern that some of the plaintiffs and one of the defendants are both issuing banks, meaning that they handle credit card accounts for major retailers.

"While banks that serve only as issuers — such as the named plaintiffs in this case — would clearly benefit from a victory, ‘mixed’ banks may actually be negatively affected," Young said. "Indeed, a decision that acquiring banks can be held liable in circumstances such as these very well could come back to haunt such ‘mixed’ banks in the future. The ‘mixed’ banks’ interest in shielding themselves from liability for millions of dollars if they are ever in Fifth Third’s position is contrary to the named plaintiff’s objectives."


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.