More than 60 banks have reported compromises of customer accounts as a result of the recent security breach at retail giant TJX Companies, and that figure is expected to grow, according to the Massachusetts Bankers Association.
And in a separate report, Visa alerted financial institutions that TJX had violated the Payment Card Industry's Data Security Standard guidelines, which prohibit long-term storage of credit card data by retailers.
Less than half of the 205 banks in Mass. have reported their findings on the TJX breach, disclosed two weeks ago. (See TJX Breach Skewers Customers, Banks.) Most of the banks reporting in have seen unauthorized account activity on at least some of the credit cards exposed in the breach, according to the MBA.
The banks are still contacting TJX customers, and in some cases, are canceling customer accounts and re-issuing cards, according to Daniel Forte, CEO and president of the MBA. The number of banks affected is "likely to grow higher," the MBA says, as many of them haven't been able to report "because the situation is such a moving target."
Officials at TJX still aren't saying how the breach occurred, but according to an alert sent Jan. 15 via the Visa Compromised Account Management System, the retailer had stored credit card data dating back to 2003. PCI rules, which are set and enforced by the credit card companies, state that merchants cannot store data for long periods.
The banks are absorbing most of the punishment resulting from the breach. It is the banks, not TJX, which are reimbursing customers for the account thefts, and it is the banks, not TJX, which could be subject to fines for doing business with a merchant that does not comply with PCI.
The banks are responding by asking for swifter action by legislators and credit card companies to require swift disclosure of breaches among retail merchants. "By not disclosing which firm caused the breach, or quickly disclosing it, consumers are needlessly troubled," Forte says.
Tim Wilson, Site Editor, Dark Reading