Nov. 30, 2007 Visa and TJX Statement

November 30, 2007 10:32 AM Eastern Time
Visa and TJX Agree to Provide U.S. Issuers up to $40.9 Million for Data Breach Claims
U.S. Visa Issuers Eligible to Participate in Speedy, Alternative Recovery Program
SAN FRANCISCO--(BUSINESS WIRE)--Visa Inc. announced today it has negotiated an agreement with The TJX Companies, Inc. (TJX) and its U.S. acquirer to offer an alternative recovery program to U.S. issuers that may have been affected by the retailer's previously announced unauthorized computer intrusion(s). The retailer will pay up to $40.9 million to fund the program, which requires a certain level of participation by issuers for the offer to be finalized. Visa is supporting the program and presenting the optional offering to eligible issuers.
"We believe issuers will benefit greatly by participating in this program because it offers immediate recovery on their data breach claims," said Ellen Richey, head of global risk management for Visa Inc. "This agreement demonstrates the importance of retailers and the payment card industry working together to protect cardholder data. Additionally, it's clear the impact of a data compromise harms all payment system stakeholders -- merchants, banks and consumers alike. We hope one outcome of this resolution is recognition that a greater investment in security is good business."
The agreement, which is contingent upon acceptance by financial institutions representing 80 percent of the eligible U.S. Visa accounts affected by the data compromise, also includes mutual releases by TJX, its U.S. acquirer and Visa related to the retailer's data compromise. All U.S. Visa card issuers that experienced counterfeit fraud losses on accounts that were used at TJX's U.S. stores during certain time periods identified by Visa or that had operational expenses related to the accounts involved in the TJX breach and flagged by Visa will be eligible to receive some financial recovery this calendar year if they participate in the optional program. Participation in the optional alternative recovery supplants any other recoveries that may be available to U.S. issuers and requires accepting issuers to release TJX and its U.S. acquirers from legal and financial liability. The recovery program does not cover Visa card transactions involving accounts of non-U.S. issuers or Visa card transactions involved in the computer intrusion that were acquired by non-U.S. acquirers.
Additionally, Visa will suspend and rescind a portion of the data breach fines it levied on the retailer's U.S. acquirer that remain eligible for appeal in accordance with Visa rules. Visa and TJX agreed to the suspended and rescinded fines in part because it would increase the funds available in the alternative recovery program.
Visa will be notifying all eligible issuers in the coming days with details about the optional settlement and how to participate. In order to facilitate payment in December, eligible issuers will have approximately 10 business days from the date of the communication to opt-in to the program before it expires.
Helping financial institutions reduce data compromise related costs after a data compromise has been a long-standing component of Visa's comprehensive security strategy as is preventing fraud, innovating new security technologies and driving PCI DSS compliance among U.S. merchants. Visa launched a streamlined recovery program in October 2006 called Account Data Compromise Recovery (ADCR) ( that provides automatic reimbursement to U.S. issuers for incremental counterfeit fraud losses from the theft of improperly stored card information. ADCR was an improvement over the industry's traditional compliance recovery process, which placed an administrative burden on financial institutions. It is expected that financial institutions will receive greater reimbursement by opting into the TJX settlement than they would have received under the traditional or ADCR programs.
Additionally, Visa has led the industry in driving merchant compliance with the Payment Card Industry Data Security Standard (PCI DSS). In less than 18 months, Visa has been able to drive compliance among the largest U.S. merchants from about 12 percent in March 2006 to 66 percent in October 2007 through a multi-tiered strategy of fines, incentives and education.
"We've made steady progress in accelerating merchant compliance with PCI standards to protect cardholder information and reduce the cost and impact of fraud," remarked Richey. "Security is a shared responsibility and this progress demonstrates that many of the largest participants in the system understand their role and responsibility for protecting this information."
Visa was the first payments brand to focus compliance efforts against the harmful practice of storing sensitive data. As of today, Visa has verified that 99 percent of Level 1 and 2 U.S. merchants are not storing prohibited account data such as magnetic stripe (also known as track data), CVV2 (the security code on the back of the card) and PIN data and has been working with the remaining handful of outstanding merchants to eliminate this practice.
Visa has also been actively encouraging smaller merchants to become compliant with the PCI DSS. In May 2007, Visa announced requirements for U.S. acquirers to identify security risks among their small merchant customers and developed an educational program to raise their awareness and understanding of the PCI DSS. Since Visa announced the requirement, 100 percent of active U.S. acquirers have submitted plans to Visa.
Education is a critical component of increasing merchant compliance with the PCI DSS. Visa's online education center at offers a series of webinars and security alerts that will help a merchant better understand the PCI DSS and the validation requirements.
Note to editors:
About Visa: Visa operates the world's largest retail electronic payments network providing processing services and payment product platforms. This includes consumer credit, debit, prepaid and commercial payments, which are offered under the Visa, Visa Electron, Interlink and PLUS brands. Visa enjoys unsurpassed acceptance around the world and Visa/PLUS is one of the world's largest global ATM networks, offering cash access in local currency in more than 170 countries. For more information, visit
Forward-Looking Statements: This press release contains forward-looking statements. These statements may be identified by the use of words such as "will," "believes," "anticipates," "intends," "estimates," "expects," "projects," "plans" or similar expressions. Such forward-looking statements include, without limitation, statements about the agreement with TJX, strategy, future operations, prospects, plans and objectives of management and events or developments that we expect or anticipate will occur. The forward-looking statements reflect Visa's current views and assumptions and are subject to risks and uncertainties, which may cause actual and future results and trends to differ materially from the forward-looking statements, including but not limited to Visa's ability to achieve its strategic objectives and the expected goals of the agreement TJX; general market conditions; the outcome of legal proceedings; uncertainties inherent in operating internationally; and the impact of law and regulations. Many of these factors are beyond Visa's ability to control or predict. Given these factors, you should not place undue reliance on the forward-looking statements.