One year later: Five takeaways from the TJX breach

The retailer has survived the massive data theft, but the card industry remains unsettled

1 2 Page 2
Page 2 of 2

"I think a lot of companies are seeing how costly these breaches can get," said Forrester Research Inc. analyst Khalid Kark. As a result, there's a lot more awareness in the executive suite about the need for security controls, Kark said. He previously estimated that the breach at TJX could end up costing the company $1 billion over the next few years.

PCI remains a work in progress

The breach brought to light the fact that many retailers, including top-tier ones like TJX, had not yet fully implemented the set of security controls mandated by the major credit card companies under the Payment Card Industry Data Security Standard, or PCI. The rules took effect in June 2005, and required merchants -- especially ones such as TJX that process a high volume of card transactions annually -- to implement 12 broad security controls for protecting customer data.

But court documents filed by the banks that are suing TJX allege that the company wasn't compliant with nine of the mandated controls during the period when the intrusions were taking place. And TJX was by no means alone. In response to the slow adoption of the PCI controls, Visa Inc. threatened to start imposing hefty fines and higher transaction fees on merchants if they didn't become compliant by the end of last September.

Visa won't disclose whether it has fined any merchants since then, but there is ample anecdotal evidence that it has.

The card payment process has issues

The TJX breach exposed a fundamental rift, with banks and credit card companies on one side and merchants on the other. In several states, credit unions and smaller banks have lobbied the legislatures to pass new laws requiring retailers to reimburse them for the costs involved in notifying customers of breaches and reissuing cards.

But the lobbying attempts failed everywhere except in Minnesota, which last May approved the Plastic Card Security Act -- a law that holds breached entities financially responsible if they were storing prohibited card data on their systems.

In fighting the state bills, retailers have argued that the commissions they pay to card companies on each transaction are supposed to cover fraud-related costs, making any additional payments a double penalty. They also said that the only reason they store payment card data is because they're required to by the credit card companies. In October, the National Retail Federation (NRF) asked Visa and the other card companies to drop that requirement.

The NRF's request is echoed by Litan, who long has argued for fundamental changes in the card industry's payment process, via the introduction of measures such as one-time passwords and all PIN-based transactions.

The bad guys remain hard to catch

For all the attention paid to the breach by TJX, and all the hired forensics experts and law enforcement authorities on the case, the perpetrators thus far haven't been tracked down. Some individuals who allegedly used card numbers stolen in the breach have been arrested. But the hackers themselves have remained frustratingly out of reach, as is the case in most breaches.

"The crooks are still at it," Litan said. "They probably will strike again. They're laughing all the way to the bank."

Copyright © 2008 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon