STANDARDS WORK -- IF THEY'RE FOLLOWED
To adequately protect cardholder data, companies that handle this information need a secure network, some way of securing cardholder data during storage and transmission (such as encryption), a process for identifying and patching software vulnerabilities, and well enforced access control measures. So says the Payment Card Industry data security standard introduced by American Express, MasterCard Worldwide, Visa International, and other credit card providers two years before TJX announced its data breach.
Of course, PCI improves security only if retailers follow the standard closely. TJX said in its 2006 annual report that it "generally" had stopped storing magnetic-stripe data after Sept. 2, 2003; "generally" encrypted all payment card, check transaction, and personal information after April 7, 2004; and "generally" had masked payment card PINs as well as portions of payment card transaction and check transaction information after April 3, 2006.
PCI also covers wireless network security, stating that wireless networks transmitting cardholder data must encrypt transmissions by using Wi-Fi-protected access (WPA or WPA2) technology, IPsec VPN, or SSL/TLS. "Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN," the standard states.
Other retailers are starting to feel the TJX Effect. In March, some of the stolen data surfaced in Florida, where thieves used it to make phony credit cards to steal about $8 million in merchandise from Wal-Mart stores in 50 Florida counties. In July, the U.S. Secret Service tied stolen TJX customer data to another south Florida fraud ring (see story, "The Face Of Identity Theft").
Banks and transaction processors are pushing back against having to cover fraud losses when the poor security practices of others are to blame. Several financial institutions have taken the unusual step of filing lawsuits against TJX, claiming that the retailer acted negligently by storing unprotected credit card holders' information and failing to install firewalls to protect sensitive financial databases. The Massachusetts Bankers Association filed a class-action suit against TJX that will seek to recover damages in the "tens of millions of dollars." The Connecticut Bankers Association and the Maine Association of Community Banks joined the Massachusetts association's suit as co-plaintiffs. TJX is based in Framingham, Mass.
Although aimed at TJX, these lawsuits aren't good news for retailers in general. "You don't usually sue merchants," says Mark Macheska, a VP of card risk prevention at Citizens Bank, but "the banks are taking all of the losses." Payment card information for hundreds of thousands of Citizens Bank customers may have been compromised as part of the TJX breach.
Lawmakers have used the TJX debacle to push data security legislation. On Aug. 1, the Plastic Card Security Act of Minnesota took effect, making the state the first to shift the costs associated with data breaches from financial institutions to the retailers that mishandle consumers' financial data. The law makes it illegal for Minnesota businesses to store a customer's PIN, security code, or magnetic-stripe information for more than 48 hours after a transaction is authorized. Next year, penalties are set to kick in that would give Minnesota financial institutions, such as banks and credit unions, the ability to sue merchants caught keeping private financial data if there's a security breach.
Massachusetts passed a data breach notification law this month, partly in reaction to TJX, joining some 30 states that require organizations to notify those affected when their personal data has been compromised. But not every state is rushing in. In May, Texas shot down a bill that would have compelled businesses to better protect and safeguard sensitive personal information contained in their customer records.
Still, the passage of the Minnesota law indicates that the TJX data breach is "the straw that broke the camel's back" in terms of the public's patience with lax data security, says PayPal chief information security officer Michael Barrett. "If more states don't pass laws like Minnesota did," Barrett says, "we'll just be waiting for the next incident before we act."