Latest Breach May Force a New Approach to Data Security

The latest and possibly biggest in a series of hacks into retailer and processor databases holding sensitive data about credit and debit card holders may indicate that it's time for a new approach to card security, according to at least one analyst. That calls into question the effectiveness of the card industry's effort to establish its much-ballyhooed Payment Card Industry (PCI) data standards in the retail community. The unauthorized intrusion into the computer systems containing customer-transaction data of Framingham, Mass.-based retailer The TJX Companies Inc., parent company of T.J. Maxx, Marshalls, and other chains with 2,510 stores in all, was discovered in mid-December but not publicly disclosed until last week. Although the off-price retailer has not disclosed the number of customers affected, some press reports claim information about 40 million customers may have been compromised, putting the breach on par with the one at CardSystems Solutions Inc., a breach so serious that it led to the sale of that processor's assets (Digital Transactions News, Oct. 18, 2005). “The banks can't rely on retailers any more for security,” researcher Avivah Litan, a vice president at Stamford, Conn.-based Gartner Inc., tells Digital Transactions News. “It's not reliable. These payment systems were rolled out years ago without security in mind. I personally think it's time for the card industry to move to stronger user authentication.” The credit and debit card networks have coalesced around PCI, whose standards call for a variety of encryption and other security measures to be taken by card issuers, merchant acquirers, and card-accepting merchants. But while PCI has received plenty of press and attention from the networks, merchants have been slow to adopt the standards despite possible fines for not doing so. Only about 100 of the largest merchants had implemented them as of October 2006, according to Litan. In a research note she was preparing for Gartner clients on Monday, Litan says, “Gartner believes that it's impractical for the card industry to expect up to 5 million retailers to become security experts and change their systems to fix security holes. It's time for the banks to own up to the problem and accept responsibility. They must make changes to the payment system so that, even if data are stolen, the data are useless to the thieves.” Gartner also believes that, based on comments from U.S. card issuers in recent months, “counterfeit fraud is at an all-time high.” Issuers must eat the expense of reissuing cards when cardholder data are stolen, which further adds to the pressure issuers, acquirers, and the payment networks put on retailers to enhance security. But the card industry already has technology that brings up a one-time password or other temporary identification number for a transaction, Litan notes, though she acknowledges that the initial cost of issuing such cards would be higher than conventional cards with a permanent PIN. While there's no public indication yet about who committed the TJX breach, the Litan report has an ominous warning that law-enforcement officials suspect more card fraud is starting to originate from the Middle East and may be related to terrorist groups. Arrests last year in Egypt and Lebanon led to the confiscation of millions of dollars, the report says. “Police said the attacks were tied to terrorist financing,” the report says, though it did not have details. A TJX spokesperson did not return a Digital Transactions News call Monday morning. In a press release last Wednesday, the company said the intrusion involved the portion of TJX's computer network that handles credit card, debit card, check, and merchandise-return transactions for customers of its T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada. It also may involve customers of its T.J. Maxx stores in the United Kingdom and Ireland. In addition, the intrusion could also extend to TJX's Bob's Stores in the U.S. The breach affected cards of all the major general-purpose brands?Visa, MasterCard, American Express, and Discover. Upon discovering the intrusion last month, TJX said it immediately notified authorities, including the U.S. Department of Justice and Secret Service and the Royal Canadian Mounted Police. The company hired General Dynamics Corp. and IBM Corp. to investigate the compromise and upgrade its computer security. Data that may have been accessed include credit and debit card transaction records from TJX's stores, excluding Bob's Stores, in the U.S., Canada, and Puerto Rico during 2003, as well as information for those stores from mid-May through December 2006, the company said. TJX says the full extent of the breach still isn't known. On Thursday, the Massachusetts Bankers Association said the card networks had contacted 28 of its members to say some of their cardholders' personal information may have been compromised. “To date, TJX has been able to specifically identify a limited number of credit card and debit card holders whose information was removed from its system and is providing this information to the credit card companies,” the release says. TJX also identified “a relatively small number” of customer names with related drivers' license numbers that also were stolen from its system, and is contacting those individuals directly, the company said. A spokesperson for Cincinnati-based Fifth Third Bancorp's Fifth Third Processing Solutions unit confirmed Fifth Third acquires transactions for TJX in the U.S., but referred questions to TJX.