The TJX breach recalls other recent hacks, including BJ's wholesale club and another, reportedly at OfficeMax in 2005. Those breaches, as well as incidents like the hacking of card processor Card Systems, prompted the payment card industry to issue new rules, dubbed the PCI, about .

However, Spitzer of the MBA said that banks still bore the brunt of security breaches at retailers because they have to pay to reissue cards to customers and absorb the financial losses from unauthorized account withdrawals. Small banks and credit unions often have trouble absorbing those costs, though they are not at fault in the breach itself, Spitzer said.

Spitzer took issue with the delay between the time TJX learned of the breach and when his organization and banks were notified as well as with Visa's policy of keeping the source of the breach a secret.

"We would have liked to know sooner," he said.

MBA is working with state and federal lawmakers to hold card companies and retailers more accountable for the costs of security lapses, he said.