"Okay, merchants should be doing a much better job of protecting their data and that is why there's PCI," Pescatore said. But credit card companies and banks also need to do more to make payment card transactions more secure via measures such as the PIN and chip-based transactions that are already in use in Europe. So far, though, they have been unwilling to make the investments necessary for those kinds of measures and instead appear more keen to go after retailers who already bear a lot of the costs, he said.

"I think this is a reactive piece of legislation," said Cathy Hotka, president of Cathy Hotka and Associates, a retail consultancy in Washington D.C. "I am not sure how persuasive the argument is to punish retailers," when so many others are also involved in a payment card transaction, she said.

Adam Martignetti, chief of staff at Costello's office, said the impetus for the bill comes from growing identity theft concerns spawned by breaches such as the one disclosed by TJX. "This came out of our conversations with the Massachusetts Bankers Association," he said. "We just felt there was a need for an incentive for all people who hold [customer data] to hold it safely and securely with all the right security protocols that are available. If that incentive had to be a financial one, then so be it."

The proposal has been sent to the Consumer Protection Committee, which will hold public hearings and make a recommendation on whether it should be voted on, Martignetti said. Similar legislation was proposed by Costello two years ago, but that bill never made it to the House floor for a vote. This time around, it should get more attention because of the concerns sparked by the TJX incident, he said.