Business your connection to The Boston Globe

TJX meets credit card security rules

TJX Cos. now meets credit card security rules, a company spokeswoman said yesterday, putting the Framingham retailer among a growing number of companies catching up with a Sept. 30 deadline to tighten how they handle consumer information.

Credit card security compliance by the nation's largest companies has risen sharply this year amid growing scrutiny of hackings such as the one that took place through last year at TJX, parent of the TJ Maxx and Marshalls chains. Court papers this week showed the intrusion affected more than 94 million credit and debit card accounts.

In those same court filings, a security specialist for a banking group suing TJX cited a review that found the company had met just three of twelve standards that outline how merchants should store and handle credit card data.

Many other merchants also have been lax this year, and in the wake of the breach, Visa has boosted its efforts to fix that by issuing fines when merchants miss deadlines.

In a court filing Oct. 25, the banking plaintiffs state Visa "has issued a substantial fine in connection with the TJX data breach finding it to be an 'egregious violation' of the applicable security standards."

MasterCard also issued fines, the filing states, and mentions a report from 2004, before the breach, that warned TJX of the risks it faced.

Spokesmen for the card companies said they wouldn't comment on dealings with TJX, and a spokeswoman for the retailer said the company wouldn't discuss matters in litigation. Generally card networks fine the banks that merchants use to process credit card transactions, which in the case of TJX would involve Fifth Third Bank in Ohio. A spokeswoman there did not return a call.

This week Visa said 65 percent of merchants met the industry's "data security standard," up from 44 percent the last time Visa released such figures Aug. 31. The figure still means around 100 of the largest merchants haven't passed the standards, however, which describe technical details on how companies must process and store information.

The figures apply to the roughly 350 US merchants who process more than 6 million transactions a year. Among those who process between 1 million and 6 million transactions, compliance rose to 43 percent as of Sept. 30, up from 15 percent at the end of December.

Visa has declined numerous requests for interviews with security executives. In a statement Visa senior vice president Michael E. Smith said the figures showed Visa is "making steady progress in accelerating merchant compliance."

Security specialists say many companies haven't focused on meeting the standards in the past partly because card companies and banks won't publicly identify which firms complied. Retailers also complain the financial companies have been more interested in collecting fees from merchants than upgrading security.

Card numbers traced to the breach at TJX have been connected to unauthorized purchases worldwide, but no one to date has been charged with the intrusion. On Wednesday, TJX said of the roughly 45.7 million cards that were compromised, more than 95 percent had expired by the time it discovered the breach last year.

Ross Kerber can be reached at

More from



Read previous Globe coverage of the TJX security breach at