Two most unwelcome letters arrived in Saturday's mail. One, from my local bank, alerted me that my wife's VISA debit card "may have been compromised" by an intrusion into an unnamed merchant's database. The other stated that my VISA credit card was also potentially at risk. Given our shopping patterns, it's fairly safe to assume that we were a victim of the TJX break in.
The bank that issued the VISA debit card is canceling the card and sending a new one. But the issuer of the VISA credit card, which tells me it had 4,000 customer accounts compromised, is not. It wrote that "there is no reason to believe that your card information will be used for any fraudulent activity."
The letter goes on to say that if I really want to, I can ask to have the card canceled and reissued at no charge. I was on the phone in five minutes, and you should be too if you get one of these letters.
Most certainly there is a risk that the stolen data could put my credit card at risk. I asked for a new card and would recommend that anyone else who receives a notification do the same. Even if the risk were small, why take it? There is little upside for the consumer who does not ask for a new card. But there is a big benefit for the issuer, which can avoid the costly process of canceling compromised cards and mailing out new ones to every customer whose card was affected.
Now for the bigger question: Why am I in this situation in the first place? Why do TJX and many other brick and mortar retailers continue to store my credit card number when online retailers apparently do not?
When I shop online I'm almost always asked if I want the merchant to save my credit card information. I always say no. TJ Maxx and other retailers never ask this question and apparently go right ahead and store the my credit card data without asking. I see no convenience benefit when they do this because I am still asked to present my credit card each time I make a purchase. But there are obvious marketing benefits for the retailer who retains credit card numbers in its database. Retailers are not supposed to do so - it's against the Payment Card Industry Data Security Standard rules. But too many merchants continue the practice. According to the Computerworld story above, some blame their legacy point of sale systems for gathering such information by default.
While it's true that TJX security was inadequate to protect its database, the bigger problem is that data that shouldn't have been there in the first place. Its customers' credit card numbers - my numbers - were compromised.
To retain my business TJX needs to change its practices. Until then, with respect to protecting my credit card data, ordering online through Amazon.com and other reputable e-tailers appears to be a much safer bet than using a credit card at my local TJ Maxx.