03:26 PM
Connect Directly

TJX Stored Customer Data, Violated Visa Payment Rules

The company held on too long to cardholder data such as card number, expiration date, and the card verification value, according to the creditor's alert.

Before being hacked late last year, TJX Companies committed a very big no-no in today's era of cybertheft.

The company, whose assets include 826 T.J. Maxx, 751 Marshalls, and 271 HomeGoods locations, was storing customer cardholder information in violation of Visa and MasterCard's Payment Card Industry Data Security Standard, according to a number of documents sent during the past few weeks by Visa to financial institutions that issue cards and manage credit and debit card transactions.

An attack against TJX's IT systems resulted in the theft of TJX customer information, including Track 2 Data, account numbers, and expiration dates. Information stored on Track 2 of a Visa card's magnetic stripe usually includes the cardholder's card number, the card's expiration date, and the card verification value (CVV), a three- or four-digit code on a card that's used to verify the card's authenticity. By comparison, Track 1 is where alphanumeric data, including the cardholder's name and address, is stored.

Merchants like TJX aren't supposed to store cardholder data because a thief can use that information to create a counterfeit credit or debit card using discarded gift card stock, says an executive at a California credit union that issues Visa cards to its members. "I can see storing data for a few hours or a day until transactions clear, but some of the stolen data goes back to 2003," he adds. "That's a long time to be out of compliance."

There are only two ways criminals are able obtain the information necessary to make counterfeit cards, the credit union executive says: "The data is either being stored, or someone at the vendor location is skimming the information." Skimming is the illegal process where a cashier or other employee will attach an electronic reader to their employer's credit card reader to steal a copy of cardholder data as purchases are made.

The credit union executive started seeing an increase in counterfeit cards used to commit fraudulent transactions beginning last November. The executive is speaking out against TJX's decision to store cardholder information because his credit union, as an issuer of Visa cards, is on the hook to pay for any fraudulent transactions charged to members' accounts. Neither Visa nor TJX is responsible for reimbursing consumers for their losses. Merchant banks, including Fifth Third Bank, that provide the financial network and card readers that allow TJX stores to accept credit and debit card purchases, however, could be subject to fines from Visa of up to $500,000 if one of the merchants it does business with violates the PCI rules.

The California credit union is issuing its members new cards, but this is costing the credit union a few dollars for each card reissued, in addition to the fraudulent charges it must absorb. The credit union's executive says it's unclear at this time how much the TJX data breach will cost his organization. TJX did not respond an InformationWeek inquiry Monday about why it was storing cardholder information.

The data theft involved millions of card accounts across all major payment brands accepted by TJX. Seventy-seven percent of the fraudulent transactions committed using stolen TJX customer information from 2006 are being committed in the United States, in particular the states of California, Florida, Illinois, New York, and Texas, according to a Jan. 23 e-mail distributed to financial institutions by Visa's director of fraud control.

Although it was already too late to prevent the TJX data breach, Visa in December said it would begin offering $20 million in financial incentives and create new sanctions to spur merchant compliance with PCI through its Visa PCI Compliance Acceleration Program. "The initiative's goal is to eradicate the storage of full-track data, CVV2, and PIN data, and grow PCI compliance among this group of merchants," Visa said in a statement at the time. Merchants in full compliance with PCI by March 31, and who have not had any of their data compromised, will be eligible to receive a one-time payment, although Visa doesn't specify the amount.

Visa has for the past two years been handing out fines for noncompliance with PCI. In 2006, Visa assessed $4.6 million in fines, up from a 2005 total of $3.4 million. Banks that process credit card transactions for businesses will be fined up to $25,000 monthly for any of their largest merchants--those that process more than 1 million Visa transactions annually--not in compliance with PCI by the end of the year. These banks also are required to assure Visa that their merchants aren't storing full-track, CVV2, or PIN data by March 31, or the banks will be eligible for fines up to $10,000 per month.

This story was updated Feb. 1 to clarify how Visa notified financial institutions about the Payment Card Industry Data Security Standard.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.