US retailer TJX will pay $40.9 million in a settlement with Visa relating to potential claims stemming from the massive computer security breach at its operations that was disclosed earlier this year.
The retailer will pay up to a maximum of $40.9 million pre-tax in recovery payments to eligible US Visa issuers that were forced to re-issue payment cards following the credit and debit card data breach, in which over 94 million Visa and MasterCard accounts may have been exposed.
At least 80% of the issuers must accept by 19 December for the settlement to finalise. Once the settlement is completed, accepting issuers will be paid by 27 December 27.
In a statement Carol Meyrowitz, TJX president and CEO, says: "This settlement agreement provides a fair resolution of these issues, and we look forward to a high issuer acceptance of the proposal."
The retailer originally revealed on 17 January that the computer system it uses to process and store information related to customer transactions had been hacked, potentially exposing millions of customers' credit and debit card numbers, as well as driver's licence information.
Hackers placed unauthorised software on TJX's computer network and stole at least 100 files containing data on millions of accounts from systems in Framingham, Massachusetts and Watford in the UK.
Debit and credit card data exposed in the breach is thought to have been used to make fraudulent purchases in Florida, Georgia and Louisiana in the US, as well as in Hong Kong and Sweden.
So far no arrests have been made of people suspected to have broken into TJX's systems, although in September the ringleader of a gang that used data stolen during the TJX hacking was sentenced to five years in prison and ordered to pay nearly $600,000 in restitution.