VISA Fined TJX Processor $880,000 For Security Violations

Written by Evan Schuman
October 27th, 2007

This summer, Visa fined TJX’s card processor $880,000—and said it would continue to fine the retailer’s card processor $100,000/month—for TJX’s role in the worst data breach in the payment industry’s history, according to documents filed in federal court Friday.

As the class-action lawsuit of various banks against TJX continues, documents and details of TJX’s breach are trickling out in a steady flow. The new Visa fine details were contained in a June 22, 2007, letter from Visa’s VP for policy compliance, John Aafedt, to Donald Boeding, a snr. VP for Fifth Third Bank, the credit card processor for TJX.

Technically, the card company is only allowed to fine the processor, but processors can—and typically do—pass those charges along to the retailers directly.

TJX’s data breach is now believed to have impacted between 96 million and 100 million customers, whose credit card information was grabbed by intruders over a multi-year breach.

The Visa fines broke down to a $50,000 penalty for violating Visa’s Cardholder Information Security Program (CISP), an "egregious fine" of $500,000 "due to the seriousness of this security incident and the impact on the Visa system and the rest in retroactive monthly fines, Aafedt wrote.

That June 22 letter also said that the processor would be fined $100,000/month because of TJX’s "storage of prohibited data," a fine that Visa said would "continue to be assessed until compliance is obtained. Note that Visa reserves the right to further escalate fines and/or impose additional conditions, up to and including consideration of possible disconnection from the Visa payment system if TJX does not remediate track data storage in a timely manner."

It was not clear from filed documents whether those additional fines were assessed, whether they continue to be assessed and if Visa still considers TJX to be holding that prohibited Track 2 data.

About six weeks before that Visa letter was written, ATW wrote a report for TJX analyzing the breach. That report has yet to be released publicly—and a hearing on whether that report will be made public is pending—but an additional excerpt from the report released Friday said that TJX had still not been in PCI compliance as of when that report was filed on May 1, 2007.

On Saturday, the Boston Globe quoted a TJX spokeswoman as saying on Friday that TJX is now PCI compliant. No details were given.

Also filed on Friday were excerpts from E-mails between TJX CIO Paul Butka and various IT staff, discussing whether—back in 2005—TJX needed to upgrade its wireless security from WEP (Wired Equivalent Privacy) to WPA (Wi-Fi Protected Access). The documents are intended to show that TJX management knew of the risks of not upgrading, but delayed anyway, to save money.

One Dec. 12, 2005, E-mail between TJX’s Richard Ferraioli to a group of IT personnel describes a memo they were going to send to CIO Butka, based on a meeting that day: "The absence of rotating keys in WEP means that we truly are not in compliance with the requirements of PCI. This becomes an issue if this fact becomes known and potentially exacerbates any findings should a breach be revealed."

That memo was going to recommend that the chain finish work on the encryption of store logs and the masking of Track 2 information. "This work will protect information at store-level only. This does not extend to covering in-transit information," Ferraioli wrote.

That meeting was apparently in response to a Nov. 23, 2005, E-mail from Butka where he wrote: "My understanding (is that) we can be PCI-compliant without the planned FY’07 upgrade to WPA technology for encryption because most of our stores do not have WPA capability without some changes. WPA is clearly best practice and may ultimately become a requirement for PCI compliance sometime in the future."

The CIO then wrote about money-saving options. "I think we have an opportunity to defer some spending from FY’07’s budget by removing the money for the WPA Upgrade, but would want us all to agree that the risks are small or negligible," he wrote. "Should we consider an alternative approach? Upgrade one division—one of the smaller ones—and save most of the money while getting a better handle on the benefits of WPA. Or maybe alternative #2 would be to do some of our larger stores–because I think the WPA capability call is a store-by-store decision—to provide better protection where we need it most. Opinions?"

Lou Julian replied to Butka’s comments in a Nov. 23 E-mail: "Saving money and being PCI-compliant is important to us, but equally important is protecting ourselves against intruders. Even though we have some breathing room with PCI, we are still vulnerable with WEP as our security key. It must be a risk we are willing to take for the sake of saving money and hoping we do not get compromised."


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.