Visa has doled out some $880,000 in fines to a Cincinnati-based acquiring bank that retail chain TJX contracted with to process most of its credit card transactions.
Fifth Third Bank was not following proper security guidelines related to the Payment Card Industry Data Security Standard (PCI DSS), according to court filings from a group of banking associations suing TJX over the breach.
TJX likely will bear the financial burden because, in most cases, the acquiring bank passes the fine down to the offending retailer.
A spokeswoman for Fifth Third, which has been named in the lawsuit brought by the banks against TJX, declined to comment because of the pending litigation. A Visa spokesman also declined comment.
The Framingham, Mass.-based parent of Marshalls and T.J. Maxx, admitted in January that some 45.7 million credit card numbers were exposed to hackers.
Last week, the filing stated that 94 million accounts were actually compromised. TJX disputes those findings and has said that 95 percent of the card numbers were expired when the breach was revealed.
The fines, according to an official letter from a Visa executive to Fifth Third, would be distributed in two parts.
One fine, for $500,000, was assessed "due to the seriousness of this security incident and the impact on the Visa system," according to a Boston Globe report today. The other fine, for $380,000, was assessed for "TJX's failure to cease storing prohibited data."
Visa announced last week that it has begun fining level-one merchants — those who process more than six million credit card transactions each year — $25,000 per month if they fail to comply with the PCI standard.
Liz Oesterle, government relations counsel for the National Retail Federation, an industry lobby that represents 1.6 million stores, said TJX also faces additional penalties from the payment brands related to fraud and card reissuing costs.
"TJX is going to get a big, fat bill from Visa and MasterCard," she told SCMagazineUS.com today.