BOSTON Discount retailer TJX Cos. could pay as much as $40.9 million in a settlement with Visa Inc. and the bank that processes the retailer's credit card payments over a massive breach of customers' card data a deal that hinges on banks agreeing to participate and doesn't include other card networks like MasterCard.
Friday's agreement also doesn't resolve a lawsuit by a group of mostly small banks that suffered an unrelated setback in court Thursday against TJX and its payment processor, Fifth Third Bancorp.
The maximum $40.9 million that TJX would pay in the settlement would help U.S. Visa card issuers such as banks recover expenses to replace customers' payment cards, which typically costs around $20 per card.
Issuers of at least 80 percent of eligible Visa cards must accept the offer by Dec. 19 for the settlement to take effect, said Framingham, Mass.-based TJX, owner of about 2,500 stores including T.J. Maxx and Marshalls. By taking part, the banks agree to waive rights to sue TJX and Fifth Third, in exchange for being paid for their breach-related costs by Dec. 27.
The agreement with Visa, the nation's largest credit card network, doesn't include other card associations. A spokesman for the No. 2 network, MasterCard, declined to comment on whether it may seek a similar agreement.
Avivah Litan, a security analyst with Gartner Inc., said the potential $40.9 million from TJX is likely higher than the breach-related costs the banks suffered involving Visa cards, based on a recent Gartner survey examining how many TJX customers received reissued cards. She said credit card networks generally reimburse banks for fraudulent purchases, leaving banks saddled with card replacement and other customer service expenses.
"I think in the end, the banks came out ahead, although it was a lot of pain," Litan said.
After initially disclosing the data heist in January, TJX said in March that at least 45.7 million cards were exposed to possible fraud in a breach of its computer systems that began in July 2005. But the breach wasn't detected until December 2006.
Recent court filings by the small banks suing TJX put the number of cards affected at more than 100 million, based on estimates by officials with Visa and MasterCard, who were deposed in the lawsuit. It's believed to be the largest data breach ever, based on the number of customer records involved.
TJX and Cincinnati-based Fifth Third separately issued statements saying Friday's settlement would provide a fair resolution with banks that agree to participate. Visa said the agreement offers banks "immediate recovery on their data breach claims."
Under the settlement, Visa also said it would "suspend and rescind a portion" of fines it levied related to the breach for failure to meet Visa's standards for safeguarding customer data.
Visa and TJX agreed to those moves "in part because it would increase the funds available in the alternative recovery program" for banks, Visa said.
Visa requires merchants to encrypt data and take other security steps, but typically fines the merchants' payment-processing banks rather than the merchants when there are violations. However, the banks can seek to pass on fine costs to the merchant.
Officials with Visa and Fifth Third declined to disclose the amounts of the fines levied in the TJX case. However, a June letter from a Visa vice president that was filed in the small banks' lawsuit described $880,000 in penalties against Fifth Third from alleged violations during the time of the TJX breach.
Friday's agreement also would restore lower "interchange" fees that TJX pays on each Visa card transaction fees that can increase if a merchant fails to comply with the security rules. TJX also would agree to serve "as a spokesperson in support of the goals" of the card industry's data security rules.
TJX's settlement costs were included in $118 million in charges that TJX recorded in August against its second-quarter earnings.
Separately, a federal judge in Boston ruled late Thursday that several banks cannot pursue claims against TJX and Fifth Third as a class. The decision by Judge William Young means the banks must individually seek to recover breach-related costs.
A statement by the plaintiff banks in response to the ruling said, "This is only one step in a long, complicated case and we are looking forward to the next hearing date on Dec. 11, when the court will consider important pending motions that we believe are related to class certification. Nothing in the decision discusses or addresses the conduct of TJX."
The case was brought by bank associations in Massachusetts, Connecticut and Maine, as well as five small banks.
In September, TJX reached a separate class-action settlement with consumers that has not yet received court approval.