TJX itself has not disclosed specifically what sort of information was compromised. But the company appears to have been storing so-called Track 2 data taken from the magnetic stripe on the back of cards. Track 2 data includes account numbers, expiration dates and encrypted personal identification numbers, plus other information that card-issuing banks can include at their discretion.

The storing of such data by retailers is specifically forbidden under PCI.

Both MasterCard and Visa refused to comment on the MBA reports that the cards compromised in the TJX incident are being fraudulently used.