Breach at TJX shows IT security still lacking in retail industry

In a statement released yesterday, Daniel Forte, CEO of the Boston-based MBA, criticized what he said was TJX's characterization of itself as a victim of the data breach, "when what it appears they may have been doing is capturing data that is unnecessary."

Further protections

The breach at TJX shows why it's so vital to purge the Track 2 data from POS and other systems, said David Taylor, vice president of data security strategies at Protegrity Corp., a Stamford, Conn.-based company that offers PCI compliance services. It also underscores the importance of encrypting sensitive data, another step that the PCI standard requires retailers to take, Taylor said.

The latest incident is sure to lend even more urgency to the efforts to get retailers to adopt the PCI requirements, said Avivah Litan, an analyst at Gartner Inc. Litan said that so far, only about 50% of Tier 1 merchants -- those processing more than 6 million credit card transactions per month -- have become fully compliant with PCI, even though more than 18 months have passed since the requirements went into effect.

TJX is a Tier 1 merchant and may even qualify as a card processor because of the sheer number of transactions it handles through its various retail chains, Litan said. That would require it to adhere to even more stringent security requirements, she said, adding that she expects credit card companies "to come down really hard" on TJX for its failure to protect customer data.

At the same time, banks that issue cards should be looking at ways to make card information less valuable to thieves in the event that the data is stolen, Litan said. For example, stronger forms of authentication could be used when transactions are being processed, she said. Another possible approach is to require one-time passwords when credit and debit cards are used.

The technology needed to support both of those steps is available and can be implemented fairly easily, according to Litan. But few banks appear to be doing so, she added.

The case for adopting such measures is strengthened by the fact that fraudsters are able to distribute stolen card information and make use of the data quickly, Litan and other analysts said.

According to John Buzzard, a fraud investigator at Fair Isaac Corp. in Minneapolis, information stolen in data breaches is sometimes used in less than 24 hours. Typically, data thieves do a quick "dump check" to see if stolen card numbers are valid and then either sell them for up to $25 apiece or use them to make one or two significant purchases or cash withdrawals, Buzzard said.

To reduce such fraud, he said, card issuers should implement measures for verifying that names, card numbers, expiration dates and other data match the information on record when transactions are being processed. Buzzard said he thinks "a large percentage of card issuers are doing this sort of authentication" already -- but not all of them.

Stronger end-to-end authentication of credit and debit transactions by issuing banks could reduce the risk of card fraud, Taylor said. "But one of the things that is worth emphasizing," he added, "is that the customer data belongs to the merchants and they need to take responsibility for it." 

Read more about security in Computerworld's Security Knowledge Center.