U.S. retailer Target agreed to pay $18.5 million as part of a settlement over a 2013 data breach that resulted in the theft of credit and debit card information from tens of millions of customers.

The settlement will be paid to 47 states — including the District of Columbia and California, which will receive the largest portion of the settlement at $1.4 million. Alabama, Wisconsin and Wyoming were not involved.

Read: Target Hackers Had Access To All Of Chain's US Cash Registers In 2013 Data Breach: Report

“Families should be able to shop without worrying that their financial information is going to get stolen, and Target failed to provide this security,” California Attorney General Xavier Becerra said in a statement. “This should send a strong message to other companies: You are responsible for protecting your customers’ personal information.”

In addition to making payments to the states involved in the settlement, Target also agreed to implement an information security program to help protect customers. The program is required to go into effect within 180 days and will be designed to “protect the security, integrity and confidentiality of personal information it collects or obtains from consumers.”

Among the requirements for Target’s information security program is a requirement to encrypt payment card information to make sure the data is protected and essentially unreadable — unless the encryption is cracked, even if stolen.

The company will also have to keep cardholder information separate from the rest of its databases, and will have to set up two-factor authentication and password rotation policies for employee accounts — the latter of which is a practice that has grown out of favor with security experts in recent years.

Read: Retail Data Breaches: What Has Target Done To Protect Consumers?

The information security program requires Target to hire an independent, third-party investigator to assess its information security systems and ensure that proper protections are in place and best practices have been followed.

At the time of the breach, officials investigating the occurrence noted Target granted access to a third-party vendor who had weak security protocols, failed to separate customer data from less sensitive databases and ignored several warnings from its security system, which had alerted the company hackers had breached its database.

In a statement to the Los Angeles Times, Target said it was “pleased to bring this issue to a resolution for everyone involved.” The retailer noted the costs of the settlement were “already reflected in the data breach liability reserves that Target has previously recognized and disclosed.”

Target admitted last year the data breach, which resulted in more than 40 million customer credit cards being exposed, cost the company $290 million. The Minnesota-based retailer paid $67 million to Visa, $20 million to banks and credit unions, $19 million to MasterCard and $10 million to consumers.