Saturday, November 10, 2007

Visa's big break to TJX on security standards during their data breach!

The TJX data breach -- which in case you haven't heard just doubled it's estimate of records compromised from 45 to 90 million -- has caused a lot of finger pointing between the financial and retail sectors.

Of course, this was revealed in court filings (like the revelation below) and I'll be surprised if anyone is willing to answer any questions about it.

The latest is that Visa knew that TJX had "extensive security problems," but chose to let them off the hook to become PCI compliant until 2009.

Evan Schuman of EWeek reports:

Credit card company Visa knew in late 2005 of the extensive security problems at TJX, but decided to give the retailer permission to remain non-compliant through Dec. 31, 2008, according to documents filed in federal court on Nov. 8.

The Dec. 29, 2005, letter from Joseph Majka, a fraud control vice president for Visa, was written months after cyber-thieves had already secretly infiltrated TJX's systems, starting the work that would ultimately become the worst data breach in credit card history.

Ironically -- while hackers were happily stealing a lot of PEOPLE's personal and financial information -- Visa wrote TJX telling them they would be holding off from fining them as long as they were diligent in fixing the problem.

In 2007, Visa fined one of TJX's banks before the deadline had expired.

PCI compliance standards are enforced by the payment card industry themselves. All that seems to be coming out of the largest data breach in history is a lot of finger pointing and litigation, which like fines, are driven by a financial incentive.

I hate to say it, but neither side of the fence wants to stop using plastic. They both are making billions of dollars in the process.

Perhaps -- if an entity with no financial stake in all this dictated the standards --the people having their information stolen by criminals would be a LOT better off.

The question is when are people (customers) going to come first?

eWeek story, here.

2 comments:

Evan Schuman said...

Agree with your comments. All except the "strangely enough" comment about Visa having later fined one of TJX's banks before the deadline had expired. The story you quoted explains it quite directly.
In the story's third paragraph, it quotes the letter saying that the fines would be suspended "provided (TJX) continues to diligently pursue remediation efforts." That was written late in 2005. The fines in question were given in the summer of 2007 when Visa reached the quite-legitimate conclusion that TJX's remediation pursuit efforts were not exactly diligent.

Ed Dickson said...

Agree Evan, that didn't come out clear. I will make a slight change. Thanks for your time and insight.