The $40.9 million settlement will fund payments to banks that issue Visa payment cards and were affected by the massive breach that is widely believed to have begun in 2005. Institutions that accept that agreement will be paid by Dec. 27.
The incident affected upwards of 94 million accounts, according to court filings. TJX has admitted that 45.7 million credit card numbers were exposed to hackers.
“At TJX, we have learned a great deal about the risks of cyberattacks and have responded aggressively to take our own security to even higher levels,” Carol Meyrowitz, TJX president and CEO, said in a news release. “We also have learned about the heightened security risks that exist across the entire U.S. retail and banking industries as a result of today's high-tech criminals.”
Last month, Visa doled out $880,000 in fines to Fifth Third Bank for not following proper security guidelines in relation to the Payment Card Industry Data Security Standard (PCI DSS).
Diana Kelley, Burton Group analyst, told SCMagazineUS.com today that the settlement may have been a bargain for TJX.
“I'm surprised that it was that low, because they initially said it was 45.6 million affected accounts and Visa had it at a possible 90 million accounts,” she said.
TJX contracted with Cincinnati-based Fifth Third to process most of its credit card transactions.
Framingham, Mass.-based TJX agreed in September to provide customers with a three-day sale and vouchers to put an end to a number of class-action lawsuits.
Mary Monahan, partner and analyst at Javelin Strategy and Research, told SCMagazineUS.com today that she was pleased to see the two sides come to an agreement.
“I thought it was great. I thought it showed that Visa and TJX and all the merchants are starting to work together finally,” she said. “It's what we've been waiting for. Basically, TJX has become a symbol of PCI compliance and a lot of companies don't want to become the next TJX. That's one thing driving PCI compliance.”