Before being hacked late last year, TJX Companies committed a very big no-no in today's era of cybertheft.
The company, whose assets include 826 T.J. Maxx, 751 Marshalls, and 271 HomeGoods locations, was storing customer cardholder information in violation of Visa and MasterCard's Payment Card Industry Data Security Standard, according to a number of documents sent during the past few weeks by Visa to financial institutions that issue cards and manage credit and debit card transactions.
An attack against TJX's IT systems resulted in the theft of TJX customer information, including Track 2 Data, account numbers, and expiration dates. Information stored on Track 2 of a Visa card's magnetic stripe usually includes the cardholder's card number, the card's expiration date, and the card verification value (CVV), a three- or four-digit code on a card that's used to verify the card's authenticity. By comparison, Track 1 is where alphanumeric data, including the cardholder's name and address, is stored.
Merchants like TJX aren't supposed to store cardholder data because a thief can use that information to create a counterfeit credit or debit card using discarded gift card stock, says an executive at a California credit union that issues Visa cards to its members. "I can see storing data for a few hours or a day until transactions clear, but some of the stolen data goes back to 2003," he adds. "That's a long time to be out of compliance."
There are only two ways criminals are able obtain the information necessary to make counterfeit cards, the credit union executive says: "The data is either being stored, or someone at the vendor location is skimming the information." Skimming is the illegal process where a cashier or other employee will attach an electronic reader to their employer's credit card reader to steal a copy of cardholder data as purchases are made.
The credit union executive started seeing an increase in counterfeit cards used to commit fraudulent transactions beginning last November. The executive is speaking out against TJX's decision to store cardholder information because his credit union, as an issuer of Visa cards, is on the hook to pay for any fraudulent transactions charged to members' accounts. Neither Visa nor TJX is responsible for reimbursing consumers for their losses. Merchant banks, including Fifth Third Bank, that provide the financial network and card readers that allow TJX stores to accept credit and debit card purchases, however, could be subject to fines from Visa of up to $500,000 if one of the merchants it does business with violates the PCI rules.
The California credit union is issuing its members new cards, but this is costing the credit union a few dollars for each card reissued, in addition to the fraudulent charges it must absorb. The credit union's executive says it's unclear at this time how much the TJX data breach will cost his organization. TJX did not respond an InformationWeek inquiry Monday about why it was storing cardholder information.
The data theft involved millions of card accounts across all major payment brands accepted by TJX. Seventy-seven percent of the fraudulent transactions committed using stolen TJX customer information from 2006 are being committed in the United States, in particular the states of California, Florida, Illinois, New York, and Texas, according to a Jan. 23 e-mail distributed to financial institutions by Visa's director of fraud control.
Although it was already too late to prevent the TJX data breach, Visa in December said it would begin offering $20 million in financial incentives and create new sanctions to spur merchant compliance with PCI through its Visa PCI Compliance Acceleration Program. "The initiative's goal is to eradicate the storage of full-track data, CVV2, and PIN data, and grow PCI compliance among this group of merchants," Visa said in a statement at the time. Merchants in full compliance with PCI by March 31, and who have not had any of their data compromised, will be eligible to receive a one-time payment, although Visa doesn't specify the amount.
Visa has for the past two years been handing out fines for noncompliance with PCI. In 2006, Visa assessed $4.6 million in fines, up from a 2005 total of $3.4 million. Banks that process credit card transactions for businesses will be fined up to $25,000 monthly for any of their largest merchants--those that process more than 1 million Visa transactions annually--not in compliance with PCI by the end of the year. These banks also are required to assure Visa that their merchants aren't storing full-track, CVV2, or PIN data by March 31, or the banks will be eligible for fines up to $10,000 per month.
This story was updated Feb. 1 to clarify how Visa notified financial institutions about the Payment Card Industry Data Security Standard.