Visa Gave TJX Until 2009 to Get PCI Compliant

Visa allowed TJX to remain non-compliant even though the credit card company knew about major security problems.

Credit card company Visa knew in late 2005 of the extensive security problems at TJX, but decided to give the retailer permission to remain non-compliant through Dec. 31, 2008, according to documents filed in federal court on Nov. 8.

The Dec. 29, 2005, letter from Joseph Majka, a fraud control vice president for Visa, was written months after cyber-thieves had already secretly infiltrated TJXs systems, starting the work that would ultimately become the worst data breach in credit card history.

Majka wrote the letter to Diana Greenshaw, an official with TJXs credit card processor, Fifth Third Bank. "Visa will suspend fines until Dec. 31, 2008, provided your merchant continues to diligently pursue remediation efforts. This suspension hinges upon Visas receipt of an update by June 30, 2006, confirming completion of stated milestones."

The letter regarding TJX ended with this ironic-in-hindsight line: "I appreciate your continued support and commitment to safeguarding the payment industry."

Apparently, Visa didnt consider TJXs later efforts to be "diligently" pursuing remediation efforts because Visa issued $880,000 in fines to Fifth Third Bank—regarding TJX— in the summer of 2007.

Retail Center Editor Evan Schuman can be reached at

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.