Further Complicating Matters
Batchelder also asked whether the many changes and vagaries surrounding the PCI (Payment Card Industry) Data Security Standard didnt further complicate matters. "As you can imagine, TJX has been accepting credit cards and debit cards for a long time, well before this case came about," he said. "And when they made that decision [to accept credit and debit cards], there were no PCI standards, there were no rules and regulations as to how you store date or not store data and so forth. Those have all come out recently." The PCI Council will "say youre going to have to move to this standard by such and such a date. And so theres this entire period of time when theres a standard out there, but you dont have to comply with it until Visa or MasterCard says you have to comply with it.""They talk about 80 percent of banks have [reissued cards]. They have the same survey, which they cite twice, that has 90 banks responding to it. Thats it. And those 90 banks, theyre not at all representative of the banks out there in the country. The largest issuers, its well-known they do not automatically reissue. It wouldnt make any economic sense for them to automatically reissue," Batchelder said. "What they do is monitor and select reissuance if they see fraud because theyve got sophisticated fraud monitoring. These plaintiffs didnt have that, so they just went out and reissued." Click here to read more about the TJX settlement. One of the attorneys for TJX card processor Fifth Third Bank, Breck Weigel, argued that the fraud accusation comes down to a legal issue of reliance. Reliance is where a company, such as the banks suing TJX, made business decisions that relied on the truthfulness and completeness of TJX statements. In this case, he said, its unlikely anyone would have believed those representations given what industry officials were saying at the time. He specifically cited an instance involving retailers storing Track 2 data, which is magnetic stripe information that is not supposed to be retained by any retailer. "There is substantial evidence in this record that there was no reliance. We have a very broad record here, a number of depositions of these issuing banks. They attended meetings where Visa and MasterCard specifically pointed out to them there are merchants out there storing Track 2 data. Visa and MasterCard specifically pointed out to them there are a number of merchants who are not PCI-compliant," Weigel said. "So not only do we have the name plaintiffs in this case who attended these meetings and would not have replied upon any authorization, security assurance as we call it, but obviously large financial institutions who are on the board of directors of Visa and MasterCard, certainly they are not relying upon issuing banks or acquiring banks or merchants as to some authorization. That just simply doesnt exist." He also argued that a key issue of the case will be next to impossible to prove: establishing that frauds requiring the card reissuancesand the associated costswere directly and specifically related to TJXs breach. Given that almost 1 percent of all credit card transactions involve some sort of fraud, Weigel said, there would have been a healthy number of fraudulent issues during that time period anyway. "The point is there have been a number of high-profile credit card compromises. TJX is not the first, and its not going to be the last. We have Ralph Lauren Polo, we have DSW, we have BJs here," he said. Page 3: Court Zeros In on What TJX Didnt Say
Another issue that cropped up a few times in the arguments is whether most banks automatically reissued credit cards when they learned of the data breach. Attorneys representing some of the banks that are suing TJX said they did and that most banks would have reissued. Batchelder disagreed.