VISA Fined TJX Processor $880,000 For Security Violations

This summer, Visa fined TJX's card processor $880,000—and said it would continue to fine the retailer's card processor $100,000/month—for TJX's role in the worst data breach in the payment industry's history, according to documents filed in federal court Friday.

As the class-action lawsuit of various banks against TJX continues, documents and details of TJX's breach are trickling out in a steady flow. The new Visa fine details were contained in a June 22, 2007, letter from Visa's VP for policy compliance, John Aafedt, to Donald Boeding, a snr. VP for Fifth Third Bank, the credit card processor for TJX.

Technically, the card company is only allowed to fine the processor, but processors can—and typically do—pass those charges along to the retailers directly.

TJX's data breach is now believed to have impacted between 96 million and 100 million customers, whose credit card information was grabbed by intruders over a multi-year breach.

The Visa fines broke down to a $50,000 penalty for violating Visa's Cardholder Information Security Program (CISP), an "egregious fine" of $500,000 "due to the seriousness of this security incident and the impact on the Visa system and the rest in retroactive monthly fines, Aafedt wrote.

That June 22 letter also said that the processor would be fined $100,000/month because of TJX's "storage of prohibited data," a fine that Visa said would "continue to be assessed until compliance is obtained. Note that Visa reserves the right to further escalate fines and/or impose additional conditions, up to and including consideration of possible disconnection from the Visa payment system if TJX does not remediate track data storage in a timely manner."

It was not clear from filed documents whether those additional fines were assessed, whether they continue to be assessed and if Visa still considers TJX to be holding that prohibited Track 2 data.

About six weeks before that Visa letter was written, ATW wrote a report for TJX analyzing the breach. That report has yet to be released publicly—and a hearing on whether that report will be made public is pending—but an additional excerpt from the report released Friday said that TJX had still not been in PCI compliance as of when that report was filed on May 1, 2007.

On Saturday, the Boston Globe quoted a TJX spokeswoman as saying on Friday that TJX is now PCI compliant. No details were given.

Also filed on Friday were excerpts from E-mails between TJX CIO Paul Butka and various IT staff, discussing whether—back in 2005—TJX needed to upgrade its wireless security from WEP (Wired Equivalent Privacy) to WPA (Wi-Fi Protected Access). The documents are intended to show that TJX management knew of the risks of not upgrading, but delayed anyway, to save money.

One Dec. 12, 2005, E-mail between TJX's Richard Ferraioli to a group of IT personnel describes a memo they were going to send to CIO Butka, based on a meeting that day: "The absence of rotating keys in WEP means that we truly are not in compliance with the requirements of PCI. This becomes an issue if this fact becomes known and potentially exacerbates any findings should a breach be revealed."

That memo was going to recommend that the chain finish work on the encryption of store logs and the masking of Track 2 information. "This work will protect information at store-level only. This does not extend to covering in-transit information," Ferraioli wrote.

That meeting was apparently in response to a Nov. 23, 2005, E-mail from Butka where he wrote: "My understanding (is that) we can be PCI-compliant without the planned FY'07 upgrade to WPA technology for encryption because most of our stores do not have WPA capability without some changes. WPA is clearly best practice and may ultimately become a requirement for PCI compliance sometime in the future."

The CIO then wrote about money-saving options. "I think we have an opportunity to defer some spending from FY'07's budget by removing the money for the WPA Upgrade, but would want us all to agree that the risks are small or negligible," he wrote. "Should we consider an alternative approach? Upgrade one division—one of the smaller ones—and save most of the money while getting a better handle on the benefits of WPA. Or maybe alternative #2 would be to do some of our larger stores--because I think the WPA capability call is a store-by-store decision—to provide better protection where we need it most. Opinions?"

Lou Julian replied to Butka's comments in a Nov. 23 E-mail: "Saving money and being PCI-compliant is important to us, but equally important is protecting ourselves against intruders. Even though we have some breathing room with PCI, we are still vulnerable with WEP as our security key. It must be a risk we are willing to take for the sake of saving money and hoping we do not get compromised."