The exposure of 45.7 million credit and debit card numbers in the TJX data theft should serve as a wakeup call to retailers who risk losing money and credibility when they fail to protect sensitive customer data, say officials at the PCI Security Standards Council.
Responding to customer concerns and fighting off lawsuits both take up much of a company’s resources after data breaches, notes Seana Pitt, chairperson of the council, which was founded by credit card companies and oversees the Payment Card Industry Data Security Standard (PCI DSS) that took effect in 2005.
“It’s definitely another wakeup call for the industry to get going,” Pitt said. “Anytime these things happen from the store level up to senior management, you get into this firefighting mode that takes the company’s eye off the business of really delivering service to customers and ultimately revenue.”
Data thefts “really hurt these companies in ways they can’t even imagine,” said Bob Russo, the council’s general manager. “It would be so much easier just to comply [with PCI DSS].”
TJX, a Massachusetts-based retailer that operates T.J. Maxx, Marshalls and other stores, said in January that hackers had broken into its computer network, compromising customer credit card information. TJX revealed the magnitude of the crime late last month in financial reports that say at least 45.6 million credit and debit card numbers were stolen in 2005 and another 130,000 last year.
The fact that hackers were able to access such a huge amount of data indicates that TJX either failed to encrypt or truncate card numbers or did not secure encryption keys that can translate scrambled card information, said Nigel Tranter, a PCI auditor with PSC. “It is unlikely given the number [of exposed credit cards] that they were in that form because then the breach would not have occurred. The hackers could have gotten in but wouldn’t have gotten anything useful,” said Tranter, who did not have direct knowledge of the TJX incident. “You just can’t store data in clear text form anymore under any circumstances. There’s just no excuse for doing that.”
TJX said it encrypted some card data. But TJX believes hackers had access to the decryption tool, the Boston Globe reported.
To comply with PCI DSS, companies must be audited annually and be scanned for external vulnerabilities by third-party auditors at least once a quarter, according to Tranter.
The adoption of PCI DSS guidelines is not very widespread, even though merchants can be fined for not complying, Rob Tourt, vice-president of network services at Discover Financial Services, said in January.