Visa and MasterCard have begun clamping down on the security issue in recent months, issuing a series of hefty fines, according to people familiar with the matter. Last fall, Visa began targeting the nation's largest merchants in particular, with fines that start at $10,000 a month and can rise to $100,000 a month. Visa levied $4.6 million in fines for noncompliance with the security rules last year, up from a 2005 total of $3.4 million. It wasn't immediately clear if Fifth Third and TJX had been fined previously for noncompliance.

Visa and Mastercard have always had rules, but they hadn't ever enforced them. Relying solely on the card associations -- with well-deserved reputations as mere promotional arms of the banks -- is not my first choice to protect consumers. NASD -- the tough independent securities SRO (self-regulatory organization)-- they're not. But this is at least a first step. Next, the bank regulators need to impose fines on a few of the big banks -- something they rarely do (they'll sometimes fine obscure banks) as it would upset other members of their little club. Finally, consumers need greater rights to sue companies that fail to protect our information.