Nov. 30, 2007 Visa and TJX Statement

Written by Evan Schuman
November 30th, 2007

November 30, 2007 10:32 AM Eastern Time
Visa and TJX Agree to Provide U.S. Issuers up to $40.9 Million for Data Breach Claims
U.S. Visa Issuers Eligible to Participate in Speedy, Alternative Recovery Program
SAN FRANCISCO–(BUSINESS WIRE)–Visa Inc. announced today it has negotiated an agreement with The TJX Companies, Inc. (TJX) and its U.S. acquirer to offer an alternative recovery program to U.S. issuers that may have been affected by the retailer’s previously announced unauthorized computer intrusion(s). The retailer will pay up to $40.9 million to fund the program, which requires a certain level of participation by issuers for the offer to be finalized. Visa is supporting the program and presenting the optional offering to eligible issuers.
"We believe issuers will benefit greatly by participating in this program because it offers immediate recovery on their data breach claims," said Ellen Richey, head of global risk management for Visa Inc. "This agreement demonstrates the importance of retailers and the payment card industry working together to protect cardholder data. Additionally, it’s clear the impact of a data compromise harms all payment system stakeholders — merchants, banks and consumers alike. We hope one outcome of this resolution is recognition that a greater investment in security is good business."
The agreement, which is contingent upon acceptance by financial institutions representing 80 percent of the eligible U.S. Visa accounts affected by the data compromise, also includes mutual releases by TJX, its U.S. acquirer and Visa related to the retailer’s data compromise. All U.S. Visa card issuers that experienced counterfeit fraud losses on accounts that were used at TJX’s U.S. stores during certain time periods identified by Visa or that had operational expenses related to the accounts involved in the TJX breach and flagged by Visa will be eligible to receive some financial recovery this calendar year if they participate in the optional program. Participation in the optional alternative recovery supplants any other recoveries that may be available to U.S. issuers and requires accepting issuers to release TJX and its U.S. acquirers from legal and financial liability. The recovery program does not cover Visa card transactions involving accounts of non-U.S. issuers or Visa card transactions involved in the computer intrusion that were acquired by non-U.S. acquirers.
Additionally, Visa will suspend and rescind a portion of the data breach fines it levied on the retailer’s U.S. acquirer that remain eligible for appeal in accordance with Visa rules. Visa and TJX agreed to the suspended and rescinded fines in part because it would increase the funds available in the alternative recovery program.
Visa will be notifying all eligible issuers in the coming days with details about the optional settlement and how to participate. In order to facilitate payment in December, eligible issuers will have approximately 10 business days from the date of the communication to opt-in to the program before it expires.
Helping financial institutions reduce data compromise related costs after a data compromise has been a long-standing component of Visa’s comprehensive security strategy as is preventing fraud, innovating new security technologies and driving PCI DSS compliance among U.S. merchants. Visa launched a streamlined recovery program in October 2006 called Account Data Compromise Recovery (ADCR) ( that provides automatic reimbursement to U.S. issuers for incremental counterfeit fraud losses from the theft of improperly stored card information. ADCR was an improvement over the industry’s traditional compliance recovery process, which placed an administrative burden on financial institutions. It is expected that financial institutions will receive greater reimbursement by opting into the TJX settlement than they would have received under the traditional or ADCR programs.
Additionally, Visa has led the industry in driving merchant compliance with the Payment Card Industry Data Security Standard (PCI DSS). In less than 18 months, Visa has been able to drive compliance among the largest U.S. merchants from about 12 percent in March 2006 to 66 percent in October 2007 through a multi-tiered strategy of fines, incentives and education.
"We’ve made steady progress in accelerating merchant compliance with PCI standards to protect cardholder information and reduce the cost and impact of fraud," remarked Richey. "Security is a shared responsibility and this progress demonstrates that many of the largest participants in the system understand their role and responsibility for protecting this information."
Visa was the first payments brand to focus compliance efforts against the harmful practice of storing sensitive data. As of today, Visa has verified that 99 percent of Level 1 and 2 U.S. merchants are not storing prohibited account data such as magnetic stripe (also known as track data), CVV2 (the security code on the back of the card) and PIN data and has been working with the remaining handful of outstanding merchants to eliminate this practice.
Visa has also been actively encouraging smaller merchants to become compliant with the PCI DSS. In May 2007, Visa announced requirements for U.S. acquirers to identify security risks among their small merchant customers and developed an educational program to raise their awareness and understanding of the PCI DSS. Since Visa announced the requirement, 100 percent of active U.S. acquirers have submitted plans to Visa.
Education is a critical component of increasing merchant compliance with the PCI DSS. Visa’s online education center at offers a series of webinars and security alerts that will help a merchant better understand the PCI DSS and the validation requirements.
Note to editors:
About Visa: Visa operates the world’s largest retail electronic payments network providing processing services and payment product platforms. This includes consumer credit, debit, prepaid and commercial payments, which are offered under the Visa, Visa Electron, Interlink and PLUS brands. Visa enjoys unsurpassed acceptance around the world and Visa/PLUS is one of the world’s largest global ATM networks, offering cash access in local currency in more than 170 countries. For more information, visit
Forward-Looking Statements: This press release contains forward-looking statements. These statements may be identified by the use of words such as "will," "believes," "anticipates," "intends," "estimates," "expects," "projects," "plans" or similar expressions. Such forward-looking statements include, without limitation, statements about the agreement with TJX, strategy, future operations, prospects, plans and objectives of management and events or developments that we expect or anticipate will occur. The forward-looking statements reflect Visa’s current views and assumptions and are subject to risks and uncertainties, which may cause actual and future results and trends to differ materially from the forward-looking statements, including but not limited to Visa’s ability to achieve its strategic objectives and the expected goals of the agreement TJX; general market conditions; the outcome of legal proceedings; uncertainties inherent in operating internationally; and the impact of law and regulations. Many of these factors are beyond Visa’s ability to control or predict. Given these factors, you should not place undue reliance on the forward-looking statements.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.