Banking Group Accuses TJX Of Improperly Retaining Personal Data

Two days after confirming that driver's license data was intercepted during a major intrusion last month, TJX officials have been directly accused of retaining "unnecessary" personal data, possibly in violation of PCI rules.

"We think it's a little odd that (TJX) would characterize themselves as victims when it appears that they may have been capturing data that is unnecessary," said Daniel J. Forte, president of the Massachusetts Bankers Association. Forte's group is lobbying for a state law change that would force retailers who are recklessly lax in their security procedures to pay for the cost of repairs.

"When a bank must issue new cards due to a retailer's data breach, it can add up to a significant expense considering that thousands of cards could be involved. MasterCard, and now Visa, has in place a process for banks to make claims for the cost of re-issuing cards. However, there is no guarantee that the full amount will be reimbursed," Forte said. "Additionally, there is the fraud issue. If a fraud does take place, MasterCard and Visa have a zero liability policy in place for the benefit of consumers, which is good. However, the cost is borne by the bank even if the retailer is responsible for a major violation of the card association rules resulting in fraud. Does this make sense?"