By Larry Greenemeier
Jan 29, 2007
Before being hacked late last year, TJX Companies committed a very big
no-no in today's era of cybertheft.
The company, whose assets include 826 T.J. Maxx, 751 Marshalls, and 271
HomeGoods locations, was storing customer cardholder information in
violation of Visa and MasterCard's Payment Card Industry Data Security
Standard, according to a Visa Compromised Account Management System
alert sent Jan. 15 to financial institutions that issue cards and manage
An attack against TJX's IT systems resulted in the theft of TJX customer
information, including Track 2 Data, account numbers, and expiration
dates. Information stored on Track 2 of a Visa card's magnetic stripe
usually includes the cardholder's card number, the card's expiration
date, and the card verification value (CVV), a three- or four-digit code
on a card that's used to verify the card's authenticity. By comparison,
Track 1 is where alphanumeric data, including the cardholder's name and
address, is stored.
Merchants like TJX aren't supposed to store cardholder data because a
thief can use that information to create a counterfeit credit or debit
card using discarded gift card stock, says an executive at a California
credit union that issues Visa cards to its members. "I can see storing
data for a few hours or a day until transactions clear, but some of the
stolen data goes back to 2003," he adds. "That's a long time to be out
There are only two ways criminals are able obtain the information
necessary to make counterfeit cards, the credit union executive says:
"The data is either being stored, or someone at the vendor location is
skimming the information." Skimming is the illegal process where a
cashier or other employee will attach an electronic reader to their
employer's credit card reader to steal a copy of cardholder data as
purchases are made.
The credit union executive started seeing an increase in counterfeit
cards used to commit fraudulent transactions beginning last November.
The executive is speaking out against TJX's decision to store cardholder
information because his credit union, as an issuer of Visa cards, is on
the hook to pay for any fraudulent transactions charged to members'
accounts. Neither Visa nor TJX is responsible for reimbursing consumers
for their losses. Merchant banks, including Fifth Third Bank, that
provide the financial network and card readers that allow TJX stores to
accept credit and debit card purchases, however, could be subject to
fines from Visa of up to $500,000 if one of the merchants it does
business with violates the PCI rules.
The California credit union is issuing its members new cards, but this
is costing the credit union a few dollars for each card reissued, in
addition to the fraudulent charges it must absorb. The credit union's
executive says it's unclear at this time how much the TJX data breach
will cost his organization. TJX did not respond an InformationWeek
inquiry Monday about why it was storing cardholder information.
The data theft involved millions of card accounts across all major
payment brands accepted by TJX. Seventy-seven percent of the fraudulent
transactions committed using stolen TJX customer information from 2006
are being committed in the United States, in particular the states of
California, Florida, Illinois, New York, and Texas, according to a Jan.
23 e-mail distributed to financial institutions by Visa's director of
Although it was already too late to prevent the TJX data breach, Visa in
December said it would begin offering $20 million in financial
incentives and create new sanctions to spur merchant compliance with PCI
through its Visa PCI Compliance Acceleration Program. "The initiative's
goal is to eradicate the storage of full-track data, CVV2, and PIN data,
and grow PCI compliance among this group of merchants," Visa said in a
statement at the time. Merchants in full compliance with PCI by March
31, and who have not had any of their data compromised, will be eligible
to receive a one-time payment, although Visa doesn't specify the amount.
Visa has for the past two years been handing out fines for noncompliance
with PCI. In 2006, Visa assessed $4.6 million in fines, up from a 2005
total of $3.4 million. Banks that process credit card transactions for
businesses will be fined up to $25,000 monthly for any of their largest
merchants--those that process more than 1 million Visa transactions
annually--not in compliance with PCI by the end of the year. These banks
also are required to assure Visa that their merchants aren't storing
full-track, CVV2, or PIN data by March 31, or the banks will be eligible
for fines up to $10,000 per month.
Subscribe to InfoSec News