[ISN] TJX Stored Customer Data, Violated Visa Payment Rules

From: InfoSec News (alerts@private)
Date: Mon Jan 29 2007 - 23:38:54 PST


By Larry Greenemeier
Jan 29, 2007

Before being hacked late last year, TJX Companies committed a very big 
no-no in today's era of cybertheft.

The company, whose assets include 826 T.J. Maxx, 751 Marshalls, and 271 
HomeGoods locations, was storing customer cardholder information in 
violation of Visa and MasterCard's Payment Card Industry Data Security 
Standard, according to a Visa Compromised Account Management System 
alert sent Jan. 15 to financial institutions that issue cards and manage 
Visa transactions.

An attack against TJX's IT systems resulted in the theft of TJX customer 
information, including Track 2 Data, account numbers, and expiration 
dates. Information stored on Track 2 of a Visa card's magnetic stripe 
usually includes the cardholder's card number, the card's expiration 
date, and the card verification value (CVV), a three- or four-digit code 
on a card that's used to verify the card's authenticity. By comparison, 
Track 1 is where alphanumeric data, including the cardholder's name and 
address, is stored.

Merchants like TJX aren't supposed to store cardholder data because a 
thief can use that information to create a counterfeit credit or debit 
card using discarded gift card stock, says an executive at a California 
credit union that issues Visa cards to its members. "I can see storing 
data for a few hours or a day until transactions clear, but some of the 
stolen data goes back to 2003," he adds. "That's a long time to be out 
of compliance."

There are only two ways criminals are able obtain the information 
necessary to make counterfeit cards, the credit union executive says: 
"The data is either being stored, or someone at the vendor location is 
skimming the information." Skimming is the illegal process where a 
cashier or other employee will attach an electronic reader to their 
employer's credit card reader to steal a copy of cardholder data as 
purchases are made.

The credit union executive started seeing an increase in counterfeit 
cards used to commit fraudulent transactions beginning last November. 
The executive is speaking out against TJX's decision to store cardholder 
information because his credit union, as an issuer of Visa cards, is on 
the hook to pay for any fraudulent transactions charged to members' 
accounts. Neither Visa nor TJX is responsible for reimbursing consumers 
for their losses. Merchant banks, including Fifth Third Bank, that 
provide the financial network and card readers that allow TJX stores to 
accept credit and debit card purchases, however, could be subject to 
fines from Visa of up to $500,000 if one of the merchants it does 
business with violates the PCI rules.

The California credit union is issuing its members new cards, but this 
is costing the credit union a few dollars for each card reissued, in 
addition to the fraudulent charges it must absorb. The credit union's 
executive says it's unclear at this time how much the TJX data breach 
will cost his organization. TJX did not respond an InformationWeek 
inquiry Monday about why it was storing cardholder information.

The data theft involved millions of card accounts across all major 
payment brands accepted by TJX. Seventy-seven percent of the fraudulent 
transactions committed using stolen TJX customer information from 2006 
are being committed in the United States, in particular the states of 
California, Florida, Illinois, New York, and Texas, according to a Jan.
23 e-mail distributed to financial institutions by Visa's director of 
fraud control.

Although it was already too late to prevent the TJX data breach, Visa in 
December said it would begin offering $20 million in financial 
incentives and create new sanctions to spur merchant compliance with PCI 
through its Visa PCI Compliance Acceleration Program. "The initiative's 
goal is to eradicate the storage of full-track data, CVV2, and PIN data, 
and grow PCI compliance among this group of merchants," Visa said in a 
statement at the time. Merchants in full compliance with PCI by March 
31, and who have not had any of their data compromised, will be eligible 
to receive a one-time payment, although Visa doesn't specify the amount.

Visa has for the past two years been handing out fines for noncompliance 
with PCI. In 2006, Visa assessed $4.6 million in fines, up from a 2005 
total of $3.4 million. Banks that process credit card transactions for 
businesses will be fined up to $25,000 monthly for any of their largest 
merchants--those that process more than 1 million Visa transactions 
annually--not in compliance with PCI by the end of the year. These banks 
also are required to assure Visa that their merchants aren't storing 
full-track, CVV2, or PIN data by March 31, or the banks will be eligible 
for fines up to $10,000 per month.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Mon Jan 29 2007 - 23:58:10 PST