MasterCard Confirming TJX Was Not PCI Compliant

MasterCard has now confirmed that TJX had not been compliant with PCI rules at the time of its massive data breach, according to an employee of a MasterCard PR agency.

Specifically, the agency person said that MasterCard has now "confirmed that TJX's acquiring bank had identified them as not yet compliant." This follows a report Monday from, which added that MasterCard "understands that TJX was actively working toward compliance." The story suggested--and the MasterCard source confirmed--that the acquirer was Cincinnati, Ohio-based Fifth Third Processing Solutions, which is apparently TJX's sole acquirer in the U.S..

The suggestion that TJX had not been PCI-compliant at the time of the breach is hardly news--with widespread reports raising questions about both inadedquate encryption and improper data retention--but MasterCard publicly confirming it is is unusual.