Visa and TJX Agree to Provide U.S. Issuers up to $40.9 Million for Data Breach Claims

U.S. Visa Issuers Eligible to Participate in Speedy, AlternativeRecovery ProgramSAN FRANCISCO--(Business Wire)--Visa Inc. announced today it has negotiated an agreement with TheTJX Companies, Inc. (TJX) and its U.S. acquirer to offer analternative recovery program to U.S. issuers that may have beenaffected by the retailer's previously announced unauthorized computerintrusion(s). The retailer will pay up to $40.9 million to fund theprogram, which requires a certain level of participation by issuersfor the offer to be finalized. Visa is supporting the program andpresenting the optional offering to eligible issuers. "We believe issuers will benefit greatly by participating in thisprogram because it offers immediate recovery on their data breachclaims," said Ellen Richey, head of global risk management for VisaInc. "This agreement demonstrates the importance of retailers and thepayment card industry working together to protect cardholder data.Additionally, it's clear the impact of a data compromise harms allpayment system stakeholders -- merchants, banks and consumers alike.We hope one outcome of this resolution is recognition that a greaterinvestment in security is good business." The agreement, which is contingent upon acceptance by financialinstitutions representing 80 percent of the eligible U.S. Visaaccounts affected by the data compromise, also includes mutualreleases by TJX, its U.S. acquirer and Visa related to the retailer'sdata compromise. All U.S. Visa card issuers that experiencedcounterfeit fraud losses on accounts that were used at TJX's U.S.stores during certain time periods identified by Visa or that hadoperational expenses related to the accounts involved in the TJXbreach and flagged by Visa will be eligible to receive some financialrecovery this calendar year if they participate in the optionalprogram. Participation in the optional alternative recovery supplantsany other recoveries that may be available to U.S. issuers andrequires accepting issuers to release TJX and its U.S. acquirers fromlegal and financial liability. The recovery program does not coverVisa card transactions involving accounts of non-U.S. issuers or Visacard transactions involved in the computer intrusion that wereacquired by non-U.S. acquirers. Additionally, Visa will suspend and rescind a portion of the databreach fines it levied on the retailer's U.S. acquirer that remaineligible for appeal in accordance with Visa rules. Visa and TJX agreedto the suspended and rescinded fines in part because it would increasethe funds available in the alternative recovery program. Visa will be notifying all eligible issuers in the coming dayswith details about the optional settlement and how to participate. Inorder to facilitate payment in December, eligible issuers will haveapproximately 10 business days from the date of the communication toopt-in to the program before it expires. Helping financial institutions reduce data compromise relatedcosts after a data compromise has been a long-standing component ofVisa's comprehensive security strategy as is preventing fraud,innovating new security technologies and driving PCI DSS complianceamong U.S. merchants. Visa launched a streamlined recovery program inOctober 2006 called Account Data Compromise Recovery (ADCR)

(http://corporate.visa.com/md/nr/press631.jsp) that provides automaticreimbursement to U.S. issuers for incremental counterfeit fraud lossesfrom the theft of improperly stored card information. ADCR was animprovement over the industry's traditional compliance recoveryprocess, which placed an administrative burden on financialinstitutions. It is expected that financial institutions will receivegreater reimbursement by opting into the TJX settlement than theywould have received under the traditional or ADCR programs. Additionally, Visa has led the industry in driving merchantcompliance with the Payment Card Industry Data Security Standard (PCIDSS). In less than 18 months, Visa has been able to drive complianceamong the largest U.S. merchants from about 12 percent in March 2006to 66 percent in October 2007 through a multi-tiered strategy offines, incentives and education. "We've made steady progress in accelerating merchant compliancewith PCI standards to protect cardholder information and reduce thecost and impact of fraud," remarked Richey. "Security is a sharedresponsibility and this progress demonstrates that many of the largestparticipants in the system understand their role and responsibilityfor protecting this information." Visa was the first payments brand to focus compliance effortsagainst the harmful practice of storing sensitive data. As of today,Visa has verified that 99 percent of Level 1 and 2 U.S. merchants arenot storing prohibited account data such as magnetic stripe (alsoknown as track data), CVV2 (the security code on the back of the card)and PIN data and has been working with the remaining handful ofoutstanding merchants to eliminate this practice. Visa has also been actively encouraging smaller merchants tobecome compliant with the PCI DSS. In May 2007, Visa announcedrequirements for U.S. acquirers to identify security risks among theirsmall merchant customers and developed an educational program to raisetheir awareness and understanding of the PCI DSS. Since Visa announcedthe requirement, 100 percent of active U.S. acquirers have submittedplans to Visa. Education is a critical component of increasing merchantcompliance with the PCI DSS. Visa's online education center atwww.visa.com/cisp offers a series of webinars and security alerts thatwill help a merchant better understand the PCI DSS and the validationrequirements. Note to editors: About Visa: Visa operates the world's largest retail electronicpayments network providing processing services and payment productplatforms. This includes consumer credit, debit, prepaid andcommercial payments, which are offered under the Visa, Visa Electron,Interlink and PLUS brands. Visa enjoys unsurpassed acceptance aroundthe world and Visa/PLUS is one of the world's largest global ATMnetworks, offering cash access in local currency in more than 170countries. For more information, visit www.visa.com. Forward-Looking Statements: This press release containsforward-looking statements. These statements may be identified by theuse of words such as "will," "believes," "anticipates," "intends,""estimates," "expects," "projects," "plans" or similar expressions.Such forward-looking statements include, without limitation,statements about the agreement with TJX, strategy, future operations,prospects, plans and objectives of management and events ordevelopments that we expect or anticipate will occur. Theforward-looking statements reflect Visa's current views andassumptions and are subject to risks and uncertainties, which maycause actual and future results and trends to differ materially fromthe forward-looking statements, including but not limited to Visa'sability to achieve its strategic objectives and the expected goals ofthe agreement TJX; general market conditions; the outcome of legalproceedings; uncertainties inherent in operating internationally; andthe impact of law and regulations. Many of these factors are beyondVisa's ability to control or predict. Given these factors, you shouldnot place undue reliance on the forward-looking statements.CRC Public RelationsJay Hopkins, (703) 683-5004 x.107Copyright Business Wire 2007