Results

Would you put a price on the security of your personal data? One company did, and now they are paying for it in a big way. For over two years, TJX, Inc. (the Massachusetts-based parent company of popular retail stores such as T.J. Maxx, A.J. Wright, and Bob’s Stores) was unknowingly a victim of continuous data theft. By the time the problem was discovered at the end of 2006, an estimated 94 million credit card reports had been stolen by hackers, making this case, as Baseline Magazine puts it, “the worst security breach in the history of the Internet to date.” The company spent much of last year dealing with the fallout and trying to reach settlements with the affected clients and banks. Industry experts harshly criticize TJX for not previously adhering to the Payment Card Industry Data Security Standard (PCI). As part of the reached settlement, TJX must act as a promoter of PCI, which, according to published reports, means having to endorse “the standard that they willfully ignored by not upgrading the company’s wireless network security.” The company expects to feel the fiscal hit of this catastrophe well into 2010.

Ironically, money was the reason behind TJX’s lack of up-to-date security features in the first place. As Baseline reports, the security measures had been measured against a “check-box” compliance with PCI, meaning that as long as the company was technically following PCI’s twelve security requirements, they were in the clear. This was a way for the company to cut corners and save money. This also illustrates the biggest weakness of PCI: though companies may be forced into this type of compliance, the “check-box” method leaves the door open for free interpretation and manipulation of minimum requirements. Perhaps in light of what happened at TJX, more businesses will think twice before cutting these corners. Saving a few thousand dollars during an audit does not compensate for the potential millions lost with a severe security breach.

While there is still some resistance to PCI in some venues, more businesses are adopting this method of security, mainly due to the pressure being put on them from the credit card industry. It has been reported that major credit card companies such as Visa will begin imposing hefty fines for businesses that do not adhere to the PCI model. And even though there is some resistance for a variety of reasons (initial cost of upgrading older systems, complexity of technology, the potential of impeding productivity, etc.), definite headway has been made in this area.

But what can consumers do to help themselves? Instances like this are a strong reminder to be extremely careful with personal information and data. As one blogger reminds us, “As severe as the data breach has been for TJX, the company is hardly the only organization that has suffered from an embarrassing loss of its customers’ personal information. And these types of data thefts are hardly limited to retail companies.” It is important to realize that the possibility of identity theft is very real in our technology-driven world. However, as this blogger points out, there are several steps one can take in order to protect your personal information. These include thoroughly reading all correspondence from your financial institutions (bank, money lender, credit card company, etc.) and checking your credit report at least three times per year. Simple steps such as these can go a long way in helping to protect yourself against identity theft.

New technology may also provide a way for consumers to protect themselves from fraud and identity theft. Nokia has developed a cell phone model which contains “Near Field Communications” (NFC) technology that enables consumers to pay by touching their phone to a payment device, similar to some systems used at gas station pumps. According to The Star Online, the technology is being tested in Malaysia, and consumers are reportedly responding well. This payment method could allow stores to check user identity by comparing the unique serial numbers on phones with the purchaser’s records.

Until new technology enables better security practices across the board, it is up to the individual company to weigh the potential benefits of a costly security upgrade against the potential ramifications of a multi-million dollar lawsuit when customer information is breached. If TJX has taught us anything, it’s that cutting corners can have devastating repercussions. A PCI-approved security system, one that has the customers’ best interests in mind and does not simply follow a “check-box” model to meet required standards, could be a wise investment for the future.

Friday, March 14th, 2008 You can skip to the end and leave a response. Pinging is currently not allowed.

By Michael Gorvin