Off-price retailer The TJX Companies Inc has agreed to pay $9.75m to 41 states after hackers breached the company's computer system more than two years ago and stole customer data.

The settlement comes after the states launched investigations into the theft of Visa card details of millions of TJX shoppers.

However, the retailer, which operates the TJ Maxx and Marshalls stores, denies violating any consumer protection or data security laws.

Instead, it says the decision to settle "reflects TJX's desire to concentrate on its core business without distraction and to promote cyber security measures that will benefit all consumers."

Jeffrey Naylor, chief financial and administrative officer, says TJX and the states "have agreed to take leadership roles in exploring new technologies and approaches to solving the systemic problems in the US payment card industry that continue to plague businesses and institutions and that make consumers in the United States worldwide targets for increasing cyber crime."

Of the settlement, $2.5m will be used to establish a new Data Security Fund for use by the states to advance effective data security and technology.

In 2007 TJX reached a US$40.9m settlement with Visa USA Inc and Visa Inc, and in 2008 agreed to pay MasterCard $24m related to the security breach.