The TJX Companies has agreed to a $40.9m settlement with Visa USA Inc and Visa Inc following an unauthorised computer intrusion incident last year when millions of customer records were stolen by hackers.

Under the agreement, TJX will fund recovery payments to US Visa card issuers that may have been affected by the security breach.

TJX has agreed to fund up to a maximum of $40.9m pre-tax in alternative recovery payments.

The settlement is conditional on acceptance by 19 December 2007 by issuers of at least 80% of the eligible Visa payment card accounts.

Carol Meyrowitz, president and CEO of The TJX Companies, said: "We believe this settlement agreement provides a fair resolution of these issues, and look forward to a high issuer acceptance of the proposal.

"At TJX, we have learned a great deal about the risks of cyber attacks and have responded aggressively to take our own security to even higher levels.

"We also have learned about the heightened security risks that exist across the entire US retail and banking industries as a result of today's high tech criminals.

"We believe that cooperative action is required by all banks, payment card companies and merchants to better protect customer payment card data, and we look forward to working together with Visa to further this goal."

Once the settlement is completed, accepting issuers will be paid by 27 December, the company said.

The TJX Companies first disclosed in mid-January that at least 45.7m of its customer records were stolen from databases in 2005 and 2006.

Customer data was thought to be at risk from its TJ Maxx, Marshalls, HomeGoods and AJ Wright divisions in the US and Puerto Rico, from its Winners and HomeSense chains in Canada and from its TK Maxx operation in the UK and Ireland.