VISA Fined TJX Processor for Security Breach

Court documents disclose that Visa fined TJX's card processor $880,000 because of massive data security violations.

Visa fined TJXs card processor $880,000 last summer, and said it would continue to fine the retailers card processor $100,000/month, for TJXs role in the worst data breach in the payment industrys history, according to documents filed in federal court Oct. 26.

As the class-action lawsuit by various banks against TJX continues, documents and details of TJXs breach are trickling out in a steady flow. The new Visa fine details were contained in a June 22, 2007 letter from Visas vice president for policy compliance, John Aafedt, to Donald Boeding, a senior vice president for Fifth Third Bank, the credit card processor for TJX.

Technically, the card company is only allowed to fine the processor, but processors can, and typically do, pass those charges along to the retailers directly.

The Visa fines broke down to a $50,000 penalty for violating Visas Cardholder Information Security Program (CISP), an "egregious fine" of $500,000 "due to the seriousness of this security incident and the impact on the Visa system and the rest in retroactive monthly fines.

That June 22 letter also said that the processor would be fined $100,000/month because of TJXs "storage of prohibited data," a fine that Visa said would "continue to be assessed until compliance is obtained. Note that Visa reserves the right to further escalate fines and/or impose additional conditions, up to and including consideration of possible disconnection from the Visa payment system if TJX does not remediate track data storage in a timely manner."


Click here to read more about how an intruder was able to steal 80GB of customer data without detection.

It was not clear from filed documents whether those additional fines were assessed, whether they continue to be assessed and whether Visa still considers TJX to be holding that prohibited Track 2 data.

About six weeks before that Visa letter was written, ATW wrote a report for TJX analyzing the breach. That report has yet to be released publicly—and a hearing on whether that report will be made public is pending—but an additional excerpt from the report released Oct. 26 said that TJX had still been in PCI violation as of when that report was filed on May 1, 2007.

On Oct. 27, The Boston Globe quoted a TJX spokesperson as saying on Oct. 26 that TJX is now PCI compliant. No details were given.

Also filed on Oct. 26 were excerpts from e-mails between TJX CIO Paul Butka and various IT staff, discussing back in 2005 whether TJX needed to upgrade its wireless security from WEP (Wired Equivalent Privacy) to WPA (Wi-Fi Protected Access). The documents are intended to show that TJK management knew of the risks of not upgrading, but delayed anyway, to save money.

One e-mail on Dec. 12, 2005 between TJXs Richard Ferraioli and a group of IT personnel describes a memo they were going to be sending to CIO Butka, based on a meeting that day: "The absence of rotating keys in WEP means that we truly are not in compliance with the requirements of PCI. This becomes an issue if this fact becomes known and potentially exacerbates any findings should a breach be revealed."


The size of the TJX data loss keeps growing. Read more here.

That memo was going to recommend that the chain finish work on the encryption of store logs and the masking of Track 2 information. "This work will protect information at store-level only. This does not extend to covering in-transit information," Ferraioli wrote.

That meeting was apparently in response to a Nov. 23, 2005 e-mail from Butka where he wrote: "My understanding [is that] we can be PCI-compliant without the planned FY07 upgrade to WPA technology for encryption because most of our stores do not have WPA capability without some changes. WPA is clearly best practice and may ultimately become a requirement for PCI compliance sometime in the future."

The CIO then wrote about money saving options. "I think we have an opportunity to defer some spending from FY07s budget by removing the money for the WPA upgrade, but would want us all to agree that the risks are small or negligible," Butka wrote.

"Should we consider an alternative approach? Upgrade one division, one of the smaller ones, and save most of the money while getting a better handle on the benefits of WPA. Or maybe alternative #2 would be to do some of our larger stores—because I think the WPA capability call is a store-by-store decision, to provide better protection where we need it most. Opinions?"

Lou Julian, a TJX IT staff member, replied to Butkas comments in a Nov. 23 e-mail: "Saving money and being PCI-compliant is important to us, but equally important is protecting ourselves against intruders. Even though we have some breathing room with PCI, we are still vulnerable with WEP as our security key. It must be a risk we are willing to take for the sake of saving money and hoping we do not get compromised."

Retail Center Editor Evan Schuman can be reached at [email protected].

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.