TJX to pay up to $40.9 million in settlement with Visa over data breach

BOSTON — Discount retailer TJX Cos. could pay as much as $40.9 million in a settlement with Visa Inc. and the bank that processes the retailer's credit card payments over a massive breach of customers' card data — a deal that hinges on banks agreeing to participate and doesn't include other card networks like MasterCard.

Friday's agreement also doesn't resolve a lawsuit by a group of mostly small banks that suffered an unrelated setback in court Thursday against TJX and its payment processor, Fifth Third Bancorp.

The maximum $40.9 million that TJX would pay in the settlement would help U.S. Visa card issuers such as banks recover expenses to replace customers' payment cards, which typically costs around $20 per card.

Issuers of at least 80 percent of eligible Visa cards must accept the offer by Dec. 19 for the settlement to take effect, said Framingham, Mass.-based TJX, owner of about 2,500 stores including T.J. Maxx and Marshalls. By taking part, the banks agree to waive rights to sue TJX and Fifth Third, in exchange for being paid for their breach-related costs by Dec. 27.

The agreement with Visa, the nation's largest credit card network, doesn't include other card associations. A spokesman for the No. 2 network, MasterCard, declined to comment on whether it may seek a similar agreement.

Avivah Litan, a security analyst with Gartner Inc., said the potential $40.9 million from TJX is likely higher than the breach-related costs the banks suffered involving Visa cards, based on a recent Gartner survey examining how many TJX customers received reissued cards. She said credit card networks generally reimburse banks for fraudulent purchases, leaving banks saddled with card replacement and other customer service expenses.

"I think in the end, the banks came out ahead, although it was a lot of pain," Litan said.

After initially disclosing the data heist in January, TJX said in March that at least 45.7 million cards were exposed to possible fraud in a breach of its computer systems that began in July 2005. But the breach wasn't detected until December 2006.

Recent court filings by the small banks suing TJX put the number of cards affected at more than 100 million, based on estimates by officials with Visa and MasterCard, who were deposed in the lawsuit. It's believed to be the largest data breach ever, based on the number of customer records involved.

TJX and Cincinnati-based Fifth Third separately issued statements saying Friday's settlement would provide a fair resolution with banks that agree to participate. Visa said the agreement offers banks "immediate recovery on their data breach claims."