The exposure of 45.7 million credit and debit card numbers in the TJX data theft should serve as a wakeup call to retailers who risk losing money and credibility when they fail to protect sensitive customer data, say officials at the PCI Security Standards Council.
Responding to customer concerns and fighting off lawsuits both take up much of a company's resources after data breaches, notes Seana Pitt, chairperson of the council, which was founded by credit card companies and oversees the Payment Card Industry Data Security Standard (PCI DSS) that took effect in 2005.
"It's definitely another wakeup call for the industry to get going," Pitt says. "Anytime these things happen from the store level up to senior management, you get into this firefighting mode that takes the company's eye off the business of really delivering service to customers and ultimately revenue."
Data thefts "really hurt these companies in ways they can't even imagine," says Bob Russo, the council's general manager. "It would be so much easier just to comply [with PCI DSS]."
TJX, a Massachusetts-based retailer that operates T.K. Maxx in the UK, said in January that hackers had broken into its computer network, compromising customer credit card information. TJX revealed the magnitude of the crime yesterday in financial reports that say at least 45.6 million credit and debit card numbers were stolen in 2005 and another 130,000 last year.
The fact that hackers were able to access such a huge amount of data indicates that TJX either failed to encrypt or truncate card numbers or did not secure encryption keys that can translate scrambled card information, says Nigel Tranter, a PCI auditor with PSC.
"It is unlikely given the number [of exposed credit cards] that they were in that form because then the breach would not have occurred. The hackers could have gotten in but wouldn't have gotten anything useful," says Tranter, who did not have direct knowledge of the TJX incident. "You just can't store data in clear text form anymore under any circumstances. There's just no excuse for doing that."
TJX says it encrypted some card data. But TJX believes hackers had access to the decryption tool, the Boston Globe reported.
To comply with PCI DSS, companies must be audited annually and be scanned for external vulnerabilities by third-party auditors at least once a quarter.
Adoption of PCI DSS is not widespread, even though merchants can be fined for not complying, Rob Tourt, vice president of network services at Discover Financial Services, said in January.
Tranter says there has been major progress updating security over the past few years, but "numerous companies" still have not secured data for various reasons, some of them technical. Encrypting data on a mainframe is difficult, for example. "Older legacy systems are difficult because the industry just doesn't have the tools [to encrypt data]," he says. "There are other controls you can put in place around those."
One mistake companies make after encrypting data is storing the encryption key in the same database, Tranter says.
"Every company that's out there, whether they are in the process of PCI DSS or not, should make sure data is encrypted and the encryption key is kept in a safe manner separate from the main data stream," he says. "The problem is keeping that key secure. There's no point in having a database of encrypted credit card numbers if the key is in the same database."
Pitt says merchants are not necessarily required to encrypt data. The standard is flexible, requiring them to make credit card numbers unreadable by masking or truncating them, she says.
The standard also bars the storage of sensitive authentication data such as CVV numbers, which are typically three-digit codes appearing on the backs of credit cards, according to Pitt.
Russo predicted that TJX will overhaul its security systems out of fear customer data could be exposed again.
"They're going to go through all kinds of remediation. They're going to make sure nothing like this ever happens again. This is going to be the safest place to shop," he says. A US Federal Trade Commission (FTC) official confirmed earlier this month it has launched an investigation into TJX.