Executive Briefings

Could PCI Have Protected TJX--and Its Customers?

Remember the TJX customer-data debacle? 94 million credit cards were stolen by hackers. PCI--the payment card industry's security standard--could have minimized the damage.
As blissful consumers finished their holiday shopping, the TJX Companies and Visa were putting the finishing touches on a financial settlement for the massive, record-breaking, headline-stealing security breach discovered nearly a year earlier.
For the better part of 2007, TJX, owner of TJ Maxx, Marshalls and other stores, was raked over the coals for allowing hackers to penetrate its network over a three-year period and pilfer more than 94 million credit card records--the worst security breach in the history of the internet to date.
Part of the settlement that followed the inevitable lawsuits requires TJX to act as a promoter--at least four times this year--of the Payment Card Industry Data Security Standard (PCI DSS, commonly referred to as PCI). This means TJX executives or representatives will take to the stump to endorse and evangelize the standard that they willfully ignored by not upgrading the company's wireless network security from the obsolete Wired-Equivalent Privacy encryption to the more secure Wi-Fi Protected Access encryption. If TJX had implemented some basic security improvements and complied with the PCI standard when it first received warnings in 2005, the retailer possibly could have staunched the data bleeding through its porous security. At the very least, TJX security and IT staff might have discovered the breach nearly a year earlier.
PCI isn't impenetrable to hacker attacks and won't guarantee data protection. It does, however, set a minimum level of protection and assurance for the governance and safeguard of credit card data handled by any organization that accepts credit card payments.
Source: Baseline, http://www.baselinemag.com

Remember the TJX customer-data debacle? 94 million credit cards were stolen by hackers. PCI--the payment card industry's security standard--could have minimized the damage.
As blissful consumers finished their holiday shopping, the TJX Companies and Visa were putting the finishing touches on a financial settlement for the massive, record-breaking, headline-stealing security breach discovered nearly a year earlier.
For the better part of 2007, TJX, owner of TJ Maxx, Marshalls and other stores, was raked over the coals for allowing hackers to penetrate its network over a three-year period and pilfer more than 94 million credit card records--the worst security breach in the history of the internet to date.
Part of the settlement that followed the inevitable lawsuits requires TJX to act as a promoter--at least four times this year--of the Payment Card Industry Data Security Standard (PCI DSS, commonly referred to as PCI). This means TJX executives or representatives will take to the stump to endorse and evangelize the standard that they willfully ignored by not upgrading the company's wireless network security from the obsolete Wired-Equivalent Privacy encryption to the more secure Wi-Fi Protected Access encryption. If TJX had implemented some basic security improvements and complied with the PCI standard when it first received warnings in 2005, the retailer possibly could have staunched the data bleeding through its porous security. At the very least, TJX security and IT staff might have discovered the breach nearly a year earlier.
PCI isn't impenetrable to hacker attacks and won't guarantee data protection. It does, however, set a minimum level of protection and assurance for the governance and safeguard of credit card data handled by any organization that accepts credit card payments.
Source: Baseline, http://www.baselinemag.com