boston.com Business your connection to The Boston Globe

Visa fines bank after losses in TJX breach

Visa USA issued $880,000 in penalties against a bank that processed transactions for TJX Cos., after an investigation of a computer hacking incident at the retailer.

The figure is described in court filings that recently have painted a clearer picture of the consequences for TJX of Framingham after its data network was breached by an unknown intruder operating through last year.

TJX, the parent of such stores as TJ Maxx and Marshalls, faces claims from banks that reissued cards in the wake of the breach that it failed to maintain adequate computer security.

At the same time, TJX struck back in its own recent filing, denying the main allegations and faulting banks for failing to press for tougher card-security standards, mirroring complaints by other retailers.

"The compromise presents a substantial risk to Visa and its members," states a June 22 letter from Visa, marked "highly confidential." The letter, now an exhibit in the case, is signed by a vice president of Visa, the biggest payment card network, and written to Fifth Third Bank in Cincinnati, which is also being sued. Both the letter and the TJX response were made public late Friday on the electronic docket system for Federal District Court in Boston.

In another filing the same day, a Visa security official stated the incident amounted to "the largest data breach in the payment card industry," at least double the size of any in the past. Last week a filing put the number of affected accounts at more than 94 million, according to card networks, twice the figure of at least 45.7 million TJX had given in the past. Ninety-five percent of those numbers had expired by the time the breach was discovered late last year, TJX has said.

A Visa spokesman yesterday said he could n't immediately comment. A spokesman for Fifth Third did not return messages yesterday afternoon.

TJX spokeswoman Sherry Lang said the fines are being appealed and noted TJX's own filing on Friday that denies wrongdoing. Among other things, it states that the plaintiffs themselves were at fault because as members of the Visa and MasterCard networks they failed to press them to implement security measures such as computer chips and personal identification numbers to reduce fraud. Any losses would be offset by credit card profits, the filing states. It also notes a judge has dismissed a negligence claim in the case.

Card companies have struggled to increase the focus on security standards among banks and merchants.

On Friday, Lang said the company now complies with the data security standards.

Visa can levy fines when merchants don't meet the rules, but they generally are imposed on the banks that process transactions. Fifth Third could potentially pass the fine onto TJX.

According to the Visa official's letter, the investigation found Fifth Third itself wasn't following certain security rules that the bank and its merchants must meet.

The fine was determined in two parts. First, Visa assessed what it called an "egregious fine" of $500,000, "due to the seriousness of this security incident and the impact on the Visa system."

In addition, Visa levied fines totaling $380,000, retroactive to October 2006, for what it called "TJX's failure to cease storing prohibited data" by Sept. 30, 2006. This apparently is a reference to stored customer credit card numbers that were later compromised in the intrusion.

Ross Kerber can be reached at kerber@globe.com.

More from Boston.com

SEARCH THE ARCHIVES