If leading newspapers are to be believed, TJX Companies is trying for the record for the number of stolen credit cards. Both the Wall Street Journal and The New York Times reported that the number of card numbers exposed or stolen in the December 2006 break-in at TJX’s data center may exceed the 40 million card numbers exposed by the 2005 breach at CardSystems Solutions. (See "The winner so far: CardSystems Solutions".)

TJX issued a press release stating it had been victimized but it now appears that one of the perpetrators of this crime was the company itself.

In late 2004 the payment card industry (PCI), which includes debit and credit card issuers, laid out a set of PCI Security Standards that, as of June, had to be met by anyone handling credit card numbers electronically.

Revised standards went into effect this month. These standards, both old and new, are quite comprehensive and are a good model of how any high-value corporate information should be protected. Some of the rules are easy to implement and some are hard, such as rule 1.4: “Prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files)." This rule means, for example, that you cannot have a public Web server that stores credit card numbers on its own disks (or on a shared file system).

According to The Wall Street Journal, TJX was not compliant with the PCI Security Standards. There are a number of different parties involved in the credit/debit card business. First there is the bank that issues the card. Then there is the merchant where you use the card to buy something, and there is the merchant’s bank that acquires the money for the merchant (known as the acquiring bank). Sometimes there also is a clearinghouse that helps the processing. Under PCI rules, acquiring banks are responsible for ensuring that their merchants are meeting the security standard.

There appear to be three crooks -- of commission or omission -- in this case. Clearly the person or persons who broke into the TJX system would likely be a crook of commission. But there are two other crooks of omission and they are just as liable in my opinion. Fifth Third Bank, TJX’s acquiring bank, and TJX itself failed to ensure that TJX met the security standards.

Whitepapers

• Advancing the Economics of Networking
• Enterprise Data Center Network Reference Architecture
• Implementing HA at the Enterprise Data Center Edge to Connect to a Large Number of Branch Offices
• File Integrity Monitoring: Secure Your Virtual and Physical IT Environments
• Boost Productivity While Cutting Costs with Next-generation Collaboration
• Deploying Virtualized NetWare on Linux Whitepaper

View more SECURITY whitepapers

Webcasts

• PoE Plus: Impact on the PoE Market
• Creating a high performance workplace with wireless networking
• Harnessing the power of communications to increase workplace performance
• Making data centers the IT strategic focus
• Protecting assets and employees with IP Video Surveillance
• Stay out of the headlines: Detecting and preventing network intrusions

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• IP address management in 2008 - six things to know
• The self-managed network

View more SECURITY special reports