MasterCard has now confirmed that TJX had not been compliant with PCI rules at the time of its massive data breach, according to an employee of a MasterCard PR agency.
Specifically, the agency person said that MasterCard has now "confirmed that TJX's acquiring bank had identified them as not yet compliant." This follows a report Monday from ePayNews.com, which added that MasterCard "understands that TJX was actively working toward compliance." The story suggested--and the MasterCard source confirmed--that the acquirer was Cincinnati, Ohio-based Fifth Third Processing Solutions, which is apparently TJX's sole acquirer in the U.S..
The suggestion that TJX had not been PCI-compliant at the time of the breach is hardly news--with widespread reports raising questions about both inadedquate encryption and improper data retention--but MasterCard publicly confirming it is is unusual.