Scope of TJX Breach Has Some Questioning Attainability of PCI

The startling size of the TJX Cos. Inc. data breach–at least 45.7 million credit and debit cards compromised–has some electronic-payments experts wondering whether the card networks will ultimately succeed in winning merchant compliance with their data-security rules. “If a major U.S. retailer cannot have its house in order, how can you get millions and millions of small businesses, small merchants to be compliant?” asks Gwenn Bézard, research director at Boston-based Aite Group LLC. Merchant acquirers are responsible for enforcing the Payment Card Industry data-security standard in the case of Visa and MasterCard transactions, but independent sales organizations acting on acquirers' behalf are the entities that most small merchants deal with. “I'm not picking on ISOs, but how can they do it? It's a different job,” Bezard says. PCI embraces a host of security measures now required by Visa, MasterCard, American Express, and Discover. As for TJX, the merchant now faces 19 class-action lawsuits related to the data hack, which it first disclosed in January. Some name Cincinnati-based Fifth Third Bancorp, owner of TJX's U.S. merchant acquirer Fifth Third Processing Solutions, as a defendant. Most suits have been filed in various federal courts; TJX is supporting a move to have them consolidated in Massachusetts. TJX also faces a 30-state investigation led by the Massachusetts attorney general's office as well as probes by the Federal Trade Commission and at least two Canadian privacy agencies. TJX further says it could incur fines by the payment card networks. The number of compromised accounts at TJX, revealed Wednesday in the retailer's annual report to the Securities and Exchange Commission, gives the owner of the T.J. Maxx, Marshalls, and other chains the dubious honor of being the source of the worst payment card breach ever. The previous titleholder was CardSystems Inc., where a breach that compromised about 40 million cards ultimately led to the sale of that processor's assets in 2005. About 67% of the compromised cards were expired at the suspected times their data were stolen, and 3.8 million live cards had their data masked But the hacker or hackers may have access to TJX's decryption tools. Some data thefts may have happened during the actual transaction process, when cardholder information was not encrypted. Plus, the number of cards involved in suspect transactions in the spring of 2004 is still unknown. And, despite more than three months of investigation with the help of tech heavyweights General Dynamics Corp. and International Business Machines Corp., TJX still doesn't know who stole its customer data. The TJX hacker also apparently obtained data, including driver's license numbers, on about 455,000 customers who returned merchandise without a receipt. In the report, Framingham, Mass.-based TJX says it first learned on Dec. 18, 2006, of suspicious software on its computer system. The next day, it brought in General Dynamics and IBM to help investigate. On Dec. 21, they determined TJX's computer systems had indeed been hacked, and “an intruder remained on our computer systems,” the filing says. The next day, the company met with federal authorities. TJX first learned on Dec. 27 that customer information had been stolen. TJX has taken much heat for not disclosing the breach publicly until Jan. 17, but the filing says the U.S Secret Service advised TJX to keep quiet at first so as not to compromise the investigation. Based on the investigation so far, TJX believes an unauthorized intruder or intruders first accessed its computers in July 2005, on later dates that year, and again from mid-May of 2006 until mid-January of this year. No data were stolen, however, after Dec. 18, 2006. The hackers stole payment-related data, some involving transactions as far back as Dec. 31, 2002 and in 2003 and 2004, from TJX computers in Framingham and Watford, England. Framingham serves stores in the U.S., Canada, and Puerto Rico. Watford serves TJX's T.K. Maxx stores in the United Kingdom and Ireland. Details of exactly how the hackers perpetuated the thefts are still emerging, but they apparently accessed files routinely created by TJX's computers to store customer data. The compromised transactions in 2006 alone involved about 100 such files. TJX, however, says customer names and addresses were not in the files, nor does it believe the hackers accessed PINs linked to debit cards. TJX says it doesn't know the total number of potentially compromised cards because the computer system destroys the files some time after the transactions during its normal operations. Many files were gone before the breach was discovered. The filing outlines steps TJX took to increase security over the past several years, including the encryption of data on track 2 of payment cards' magnetic stripes beginning in April 2004. But the hacker apparently foiled those efforts in 2006 by somehow capturing information during live transactions, when data are unencrypted, and even possibly getting a hold of TJX's decryption software. “Despite our masking and encryption practices on our Framingham system in 2006, the technology utilized in the computer intrusion during 2006 could have enabled the intruder to steal payment card data from our Framingham system during the payment card issuer's approval process, in which data (including the track 2 data) is transmitted to payment card issuers without encryption,” TJX's filing says. “Further, we believe that the intruder had access to the decryption tool for the encryption software utilized by TJX.” A permanent solution to the problem of card-data leaks may involve an entirely different approach to transaction security than set forth in the current PCI standards, but Bézard admits he has “no idea” what that may be. Some payment companies, including Visa USA, are beginning to look at so-called dynamic authentication that involves one-time numbers for authorization. Some banks have reissued cards as a result of the TJX breach, and authorities in Florida recently arrested members of an alleged theft ring who reportedly used card numbers stolen from TJX to buy $8 million of gift cards and electronics goods, according to press reports.