TJX breach may spur greater adoption of credit card security standards

Experts say TJX either failed to encrypt or truncate credit card numbers or did not secure encryption keys

The exposure of 45.7 million credit and debit card numbers in the TJX data theft should serve as a wakeup call to retailers who risk losing money and credibility when they fail to protect sensitive customer data, say officials at the PCI Security Standards Council.

Responding to customer concerns and fighting off lawsuits both take up much of a company’s resources after data breaches, notes Seana Pitt, chairperson of the council, which was founded by credit card companies and oversees the Payment Card Industry Data Security Standard (PCI DSS) that took effect in 2005.

“It’s definitely another wakeup call for the industry to get going,” Pitt says. “Anytime these things happen from the store level up to senior management, you get into this firefighting mode that takes the company’s eye off the business of really delivering service to customers and ultimately revenue.”

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The exposure of 45.7 million credit and debit card numbers in the TJX data theft should serve as a wakeup call to retailers who risk losing money and credibility when they fail to protect sensitive customer data, say officials at the PCI Security Standards Council.

Responding to customer concerns and fighting off lawsuits both take up much of a company’s resources after data breaches, notes Seana Pitt, chairperson of the council, which was founded by credit card companies and oversees the Payment Card Industry Data Security Standard (PCI DSS) that took effect in 2005.

“It’s definitely another wakeup call for the industry to get going,” Pitt says. “Anytime these things happen from the store level up to senior management, you get into this firefighting mode that takes the company’s eye off the business of really delivering service to customers and ultimately revenue.”

Data thefts “really hurt these companies in ways they can’t even imagine,” says Bob Russo, the council’s general manager. “It would be so much easier just to comply [with PCI DSS].”

TJX, a Massachusetts-based retailer that operates T.J. Maxx, Marshalls and other stores, said in January that hackers had broken into its computer network, compromising customer credit card information. TJX revealed the magnitude of the crime yesterday in financial reports that say at least 45.6 million credit and debit card numbers were stolen in 2005 and another 130,000 last year.

The fact that hackers were able to access such a huge amount of data indicates that TJX either failed to encrypt or truncate card numbers or did not secure encryption keys that can translate scrambled card information, says Nigel Tranter, a PCI auditor with PSC.

“It is unlikely given the number [of exposed credit cards] that they were in that form because then the breach would not have occurred. The hackers could have gotten in but wouldn’t have gotten anything useful,” says Tranter, who did not have direct knowledge of the TJX incident. “You just can’t store data in clear text form anymore under any circumstances. There’s just no excuse for doing that.”

TJX says it encrypted some card data. But TJX believes hackers had access to the decryption tool, the Boston Globe reported.

To comply with PCI DSS, companies must be audited annually and be scanned for external vulnerabilities by third-party auditors at least once a quarter, according to Tranter.

Adoption of PCI DSS is not widespread, even though merchants can be fined for not complying, Rob Tourt, vice president of network services at Discover Financial Services, said in January.

Tranter says there has been major progress updating security over the past few years, but “numerous companies” still have not secured data for various reasons, some of them technical. Encrypting data on a mainframe is difficult, for example.

“Older legacy systems are difficult because the industry just doesn’t have the tools [to encrypt data],” he says. “There are other controls you can put in place around those.”