Card issuers at Cards&Payments press time were reviewing how to react to a major card-data breach made public in mid-January. But it clearly was another security blow to the payments industry, reportedly affecting millions of credit and signature-debit cards.
TJX Cos., which owns 2,300 stores operating under T.J. Maxx, Marshalls and other names, discovered the "unauthorized intrusion" into the firm's computer systems in December. TJX, the major card brands and the U.S. Secret Service are investigating the matter.
Transactions dating back to 2003 reportedly were compromised, including the capture of data kept on Track 2 of cards' magnetic stripes. The track includes card numbers, expiration dates, encrypted security codes and other information. PIN-debit cards were not part of the breach, according to sources.
"That's the stuff they steal to make perfect counterfeit cards," says Avivah Litan, an analyst at Gartner Group. "It has the security codes that bind cards to the account holder."
Large and small card issuers were deciding whether to reissue cards. "If we see misuse or potential misuse, we will reissue cards and notify customers," says a BofA spokesperson.
Debit card issuers may not want to reissue cards for all customers, says Jeffrey Trachtman, vice president at Analytic Innovations. He says some customers cut back on using debit cards, or stop using them altogether, after a reissuance.
For those customers, Trachtman says, an issuer can take other steps to minimize the risk of fraud from stolen card data, such as reducing the amount that can be charged to cards that were used at the TJX stores or monitoring those cards more closely. He says it costs an average of $14 for each card reissued.
A Visa spokesperson says only 2% of cards compromised by data breaches historically have been used fraudulently. Overall, Visa says fraud represents 6 cents per $100 spent with its cards.
Fifth Third Bank Processing Solutions confirmed that it is TJX's merchant acquirer and processor in the U.S. Other acquirers serve the retailer elsewhere.
A Fifth Third spokesperson declined to offer further details about the breach or TJX's previous status as compliant or noncompliant with data security rules.
But she says Fifth Third Bank is among issuers who now must decide whether and how widely to reissue its own cards.
(c) 2007 Cards&Payments and SourceMedia, Inc. All Rights Reserved.
Authoritative analysis and perspective for every segment of the payments industry
Authoritative analysis and perspective for every segment of the industry
Have an account? Sign In