Of course, this was revealed in court filings (like the revelation below) and I'll be surprised if anyone is willing to answer any questions about it.
The latest is that Visa knew that TJX had "extensive security problems," but chose to let them off the hook to become PCI compliant until 2009.
Evan Schuman of EWeek reports:
Credit card company Visa knew in late 2005 of the extensive security problems at TJX, but decided to give the retailer permission to remain non-compliant through Dec. 31, 2008, according to documents filed in federal court on Nov. 8.
The Dec. 29, 2005, letter from Joseph Majka, a fraud control vice president for Visa, was written months after cyber-thieves had already secretly infiltrated TJX's systems, starting the work that would ultimately become the worst data breach in credit card history.
Ironically -- while hackers were happily stealing a lot of PEOPLE's personal and financial information -- Visa wrote TJX telling them they would be holding off from fining them as long as they were diligent in fixing the problem.
In 2007, Visa fined one of TJX's banks before the deadline had expired.
PCI compliance standards are enforced by the payment card industry themselves. All that seems to be coming out of the largest data breach in history is a lot of finger pointing and litigation, which like fines, are driven by a financial incentive.
I hate to say it, but neither side of the fence wants to stop using plastic. They both are making billions of dollars in the process.
Perhaps -- if an entity with no financial stake in all this dictated the standards --the people having their information stolen by criminals would be a LOT better off.
The question is when are people (customers) going to come first?
eWeek story, here.