Your Data: Love It or Lose It

As blissful consumers finished their holiday shopping, the TJXCompanies and Visa were putting the finishing touches on a financial settlement for the massive, record-breaking, headline-stealing security breach discovered nearly a year earlier.

For the better part of 2007, TJXwas raked over the coals for allowing hackers to penetrate its network over a three-year period and pilfer more than 94 million credit card records—the worst security breach in the history of the Internet to date. Visa praised TJX—Framingham, Mass.-based parent company of such well-known retail brands as T.J. Maxx, Marshalls and HomeGoods—for resolving its security measures and creating a $41 million settlement fund to compensate nearly 95 percent of the affected customers and banks.

“We are pleased with the overwhelming response from issuers and appreciate the cooperation TJXhas shown during this process,” said Ellen Richey, head of global risk management for Visa, in a joint statement released with TJXin December. “The alternative recovery solution Visa and TJXdelivered to the marketplace demonstrates how payment system participants can resolve differences for the benefit of the entire system.”

Part of the settlement requires TJXto act as a promoter—at least four times this year—of the Payment Card Industry Data Security Standard (PCI DSS, commonly referred to as PCI). This means TJXexecutives or representatives will take to the stump to endorse and evangelize the standard that they willfully ignored by not upgrading the company’s wireless network security from the obsolete Wired-Equivalent Privacy (WEP) encryption to the more secure Wi-Fi Protected Access (WPA) encryption. If TJXhad implemented some basic security improvements and complied with the PCI standard when it first received warnings in 2005, the retailer possibly could have staunched the data bleeding through its porous security. At the very least, TJXsecurity and IT staff might have discovered the breach nearly a year earlier.

PCI isn’t impenetrable to hacker attacks and won’t guarantee data protection. It does, however, set a minimum level of protection and assurance for the governance and safeguard of credit card data handled by any organization that accepts credit card payments. While PCI compliance has risen in the wake of the TJXbreach, analysts and standards enforcers agree that there remains a constant tug of war between security and the cost of compliance.

“If you show this to any security person out there, they’ll tell you that there are no alien concepts in this and it is nothing new,” says Bob Russo, general manager for the PCI Security Standards Council, the payment card industry’s outreach arm. “These are best practices in the industry—not just payment card security, but security in general. Whenever somebody says, ‘This is what you should do,’ there is always pushback.”

While 2007 was a record year for both security breaches and compromised data, TJXremains the standout (see “2007: A Year of Record Data Breaches,” p.36. The company declined requests for comment, but its Securities and Exchange Commission filings and legal disclosures associated with a number of lawsuits indicate that the total cost of the security breach could top more than $250 million. According to its third-quarter SEC report, TJXexpects to suffer from the fiscal aftermath of the breach through 2010.

As new deadlines approach and more merchants and retailers fall under PCI’s regulatory scope, TJXserves as the prime example of why compliance is essential. Understanding the standard’s intent, range and mechanics is the beginning of an ongoing process for minimizing the chances of a TJX-like repeat.