Visa Extended TJX's Compliance Deadline Knowing Problems Existed
While Level 1 and 2 merchants are still scrambling to show compliance with the PCI Data Security Standard, TJX's Federal Court hearing shows that Visa provided the retailer a compliance "pass" to 2009 in spite of known security issues.
According to eWeek, "credit card company Visa knew in late 2005 of the extensive security problems at TJX, but decided to give the retailer permission to remain non-compliant through Dec. 31, 2008, according to documents filed in federal court on Nov. 8."
Joseph Majka, a fraud control vice president for Visa, wrote the letter to Diana Greenshaw, an official with TJX's credit card processor, Fifth Third Bank. "Visa will suspend fines until Dec. 31, 2008, provided your merchant continues to diligently pursue remediation efforts. This suspension hinges upon Visa's receipt of an update by June 30, 2006, confirming completion of stated milestones."
Apparently, according to the article by Evan Schuman, "Visa didn't consider TJX's later efforts to be "diligently" pursuing remediation efforts because Visa issued $880,000 in fines to Fifth Third Bank—regarding TJX— in the summer of 2007. "
TJX certainly has borne the brunt of the bad press since their monumental breach was announced back in the beginning of 2007. But, with news like Visa's apparent leniency towards TJX now coming out, it appears that the blame doesn't entirely rest with TJX alone. It is unconscionable that Visa, knowing full well that TJX had serious security weaknesses, would seemingly grant them "compliance clemency."
Oh, and I wonder what Fifth Third Bank did with that $800,000 bill this summer?
Contributed by Mark Tordoff
Comments