TJ Maxx owner TJX has agreed to pay nearly $10m to 41 US states for a data breach that enabled the theft of millions of debit and credit card numbers.
But the retailer said in statement that the agreement is not an admission that TJX violated any consumer protection or data security laws.
"The decision to enter into this settlement reflects TJX's desire to concentrate on its core business without distraction and promote cyber security measures that will benefit all consumers," the statement said.
The retailer has also agreed to boost security measures to ensure that what is thought to be the biggest identify theft ever reported does not happen again.
The agreement comes more than two years after hackers broke into TJX's wireless network to steal the credit and debit card details of customers.
TJX said the attack was carried out despite the company's computer security being "as good as or better than most other major US retailers."
Since the data breach was disclosed, TJX has paid millions in compensation to customers whose details were stolen and to banks that were defrauded as a result.
Jeffrey Naylor, chief financial officer at TJX, said the settlement with the state attorneys general furthers the company's goal of enhancing customer protection.
Both parties, he said, have agreed to take the lead in exploring new technologies and approaches to solving the systematic problems in the US payment card industry.
TJX will provide $2.5m to establish a data security fund to advance effective data and security and a settlement amount of $5.5m with $1.75m to cover the cost of investigating the incident.
In August 2008, US prosecutors charged 11 people on three continents in connection with what was widely considered at the time as the largest ever reported identity theft.
Those charged include three US citizens, three Ukranians, two Chinese, an Estonian and a Belo-Russian. So far only two have pleaded guilty to the charges.