back to article TJX employee fired for exposing shoddy security practices

TJX Companies, the mammoth US retailer whose substandard security led to the world's biggest credit card heist, has fired an employee after he left posts in an online forum that made disturbing claims about security practices at the store where he worked. Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, …


This topic is closed for new posts.
  1. Anonymous Coward
    Black Helicopters

    PCI Compliant?

    I work for a company that actually IS PCI-Compliant.

    There's no way that these practices (if true) would pass. It depends on how they do it. It could be that TJX has a central core network that is PCI-compliant, and the store network is considered one big DMZ, with no customer credit card info stored on it.

    I dunno. From what I've see from my company, TJX should lose the right to process cards. The penalties can be quite severe. I know that it was an enormous deal for us, and credit card processing is only a small part of what we do.

    Unless, of course, PCI compliance is something that can be purchased...

  2. David Simpson
    Black Helicopters

    Best Practice

    I think best practice with TK Maxx in any future purchases I make will be cash only.

    They will never get my new card numbers, best way to keep them out of hackers hands.

  3. heystoopid


    Sadly , in the land of the crazy inept armed to teeth , incompetent and paranoid , this is not an isolated example of shoot the messenger then allow managers to put their heads back in their fat posteriors and go back to sleep !

    Although judging by VISA Internationals' low standards interface , all they ever do is from time to time just merely tender up a token fine , then go back to sleep as business as usual ,as they operate on the percentage value take out where greed/need for $ exceeds logic, when fighting the eternal four way war between Diners Club , Amex & Mastercard dynasties !

  4. Tuomo Stauffer
    IT Angle

    It's not just TJX..

    Yes, it is easy to be PCI compliant and still totally insecure. When does it get through - security is not rules, regulations, tools or toys. Security is protecting property, information, and even humans and access to something which could be harmful or cause problems in wrong hands. PCI is mostly nice acronyms and abbreviations, none really defined what they mean but assumed to describe something which has to be protected and how. Think of PCI itself, maybe it is "Peripheral Component Interconnect" - as good as "Payment card industry" or is it "Per capita income"?

    It would be so simple to write regulations as "you mishandle customer information in a way which causes loss or grief to a customer, you are denied the rights to do xxxxxxx." Leave the how to corporations, they always find a way to comply just because it would be a good business - don't make the security itself a lucrative business for snake oil companies which always find ways to sell "secure" solutions for other companies.

    And IT because this is not an IT problem but much, much wider.. IT is not paid the salaries where this kind of problems are solved.

  5. kain preacher


    Fine them. $5000 a day

  6. Anonymous Coward

    Of Course, Firing Him was STUNNINGLY Stupid

    Christ, they might as well have hired folks to stand outside their stores wearing sandwich boards.

  7. Anonymous Coward

    A shame?

    Isn't it always a shame when the numpties have authority? Well, isn't it?

  8. BillPhollins
    Paris Hilton

    PCI Compliace

    I work for a PCI DSS compliant company too. They should be required to change passwords every two months. But what I don't get is how did the hackers obtain unencrypted credit card details? Very few peope (i.e. security officer(s)) should be able to access the credit card details, and even then they will require dual authorisation.

    I can only speculate that they were being duplicated in a non-PCI system for some shambolic reason.

    Paris, as she knows all about penetration testing.

  9. Anonymous Coward
    Anonymous Coward

    State evidence

    Assuming what he says is true (and having worked at several banks I would say there is at least scope for improvement everywhere) I think this guy can get himself comfortable with reporting breaches of various laws to the authorities. As far as I know TJX has several obligations it failed to meet so there will be no better way to cause discomfort.

    Good as it is - would you employ someone who talked out of school? This is not an opinion, it's a discussion question. Would you?

  10. Dave


    To me, PCI is what is found in computers and is a spec that allows information to be passed reliably and at high speed. So yes, they appear to be compliant with that...

  11. Svein Skogen

    Security is?

    As someone already pointed out, Security "is not rules, regulations, tools or toys."

    Imho, security starts out with attitudes, attitudes that can only come from education of employees. And here is the real problem: This is expensive. In two ways.

    First, only employing people that can actually be educated means only accepting people with a little intelligence, AND people that are loyal to their job, not only loyal to their own wallet. Such people cannot idly sit by and accept when the REMF managers purchase sub-standard equipment to allow for a pay-rise for the mid-level management. This basically means that intelligent and lojal people WILL find another employer, if the mid-level management is less loyal to the job than they are.

    Secondly, a lot of mid-level management finds that education of employees is a waste of money, that could otherwise have been used to pay for management bonuses. This basically means that greedy midlevel managers have no wish for employees that will give them added security, period.

    So, what can we as users do about this? Not much, really. Only thing we can do, is to "vote with our wallets", and avoid buying anything from companies that have this kind of (lacking) standards. The problem here, is that there isn't a single company that marks itself as a "better option", and thus there really isn't any option for us. This means that the option of "voting with our wallets" has been taken away from us, because all the alternatives has the same infection of greedy managers.

    But, there is a second alternative (but it's slower!): If each and every one of the customers that are unhappy about this wrote a letter to our parlament/congress/senate/whatever representative regarding our wish for legislation to handle the problem of shops not protecting customer data, we jus might get something done. If we can get to the point where managers responsible for inadequate customer protection can be sentenced to jailtime, we may get somewhere. Because this would remove those managers from their workplace, so they can be replaced. In time, we might even get decent managers in (or rather: We might get all the rotten ones stored away, probably due to some local variant of the third-time laws).

    And yes, I believe that the real problem is greed-in-midmanagement. Nothing more, nothing less.


  12. Doug

    deja vu all over again Yogi ..

    "My information is still on that server .. So if their network is insecure, then my information is insecure. I'd prefer they get it fixed"

    That's a good point. Anytine I draw attention to security vulnerabilities it to do with self interest. I don't want my 'stuff' on the Internent. The response, when you do tell them, is to totally ignore you. The CIO being a totally ignorant time serving booze buddy college of the owner.

    One company, a multinational Internet company, their ISA server got a 'virus' and it was contaminating the client desktops for months, before anyone noticed.<br><br>

    Now that we all have to be in compliance with PCI, SOX, HIPAA, PCI-DSS and HSPD-12, I thought this sort of thing didn't happen anymore .. :)

    For anyone out there who don't actually work in computers allow me to describe what 'compliance' entails. You fill out a bunch of forms and then sent them off to some government department with a large check. They send you back a piece of paper saying you're now in compliance :)

    Now when some 'malware' tries to hack your machine, it'll first check that you are compliant and if so won't run, as it's well known that crooks don't break the law .. :)

  13. Doug

    time and motion ..

    In relation to my other post, I do believe no amount of regulation can work because of this reason. Most business have rules devised by senior management and usually unworkable on the shop floor. The poor suffering workers have to make do with obsolete and defective equipment, impossible deadlines and information hiding from some incompetent time server.

    Anyone want to see how a business would run with total compliance to the rules only have to see what happens when a union imposes a 'work to rule'. Let me give you an example, we were doing call center support. Sixty to eighty calls per day, maxium of five minutes per call, else we were called up and given a severe talking to.

    New PHB decided to impliment an auditing system. So now, as we were taking the call and looking up 'error xxx in DLL yyy', we had to: open a new support record, enter OS, caller details and so on. A bunch of dropdown boxes and fields to enter. You were so attentive to the screens that you payed little attention to the caller and talked any old rubbish.

    These records presumably to be used to perform auditing on the types of calls we were getting. The trouble was the screen update was so slow, that we took to dealing with the support calls, then every so often opened up a bunch of new support records and entered total garbage. So PHB is happy he's got data to play with and we can get back to work - which is taking support calls and not filling in forms ...

  14. Anonymous Coward


    I was actually out shopping for some new threads last night, traveling away from home- I saw a TJ Maxx store and remembered all the security problems they'd had, and made the conscious decision to go to some other stores instead. Probably wound up spending more money at them because the discounts weren't as good...

    Reading this story this morning is reaffirming in the wrong way- I'm very glad I didn't go to TJ Maxx!

  15. Anonymous Coward
    Anonymous Coward

    @Tuomo Stauffer

    > PCI is mostly nice acronyms and abbreviations, none really defined what they mean but assumed to describe something which has to be protected and how.

    That's not been the experience at my company. We had a small data breach that didn't actually result in any customer data being compromised, and the stops were pulled out. Apparently, VISA gave us a few months to get our act together, or lose the ability to process cards. We made a major initiative, and the entire company; from top to bottom, went on a "wartime footing." Every procedure we have, from mailroom to boardroom, was changed to fit a high security posture. It's now more secure than defense contractors I've worked at.

    I have a friend who works for First Data, and he tells me how tinfoil they are over there.

    This is all for PCI.

  16. Nell Walton
    Thumb Up

    TJX whistleblower fired

    I feel for this poor guy - I'm sure he felt he was trying to do the right thing. I've been there, done that - spent 3 years in litigation over the same issue. Thing about PCI is that the auditors can only check what they know about. If the company doesn't fully disclose all of the information about their environment then the PCI DSS is pretty much useless. To get an idea of what it takes for an IT professional to successfully blow the whistle check

  17. Anonymous Coward
    Anonymous Coward

    Easy solution?

    How about we have decent regulators, both here in the UK and in the US?

    If these companies were actually brought to account and fined or prosecuted in any meaningful way, then perhaps we might see a difference in attitude. If TJ Maxx were fined, shall we say, $1 per record - thats a $94m fine. I think there might be a different approach in the corporate world after such a fine.

    Of course, that's far too sensible an approach, and as such, will never happen.

  18. Peter Gold badge

    Easy solution: almost there

    I'm actually with an earlier poster - we're no longer dealing with a technology problem, this is a human problem. The issue with the above "Easy solution" is that it doesn't create personal responsibility and is thus unlikely to work. Example: what changed after MS got YAF (Yet Another Fine)? Exactly, nada, nothing. The moment you pull directors from behind that legal shield a company represents and make them PERSONALLY liable for such offenses, THEN matters will change.

    The guys at the top need to know that they are going to get personally hit before they will act, at the moment it's still too easy for incompetents to hide behind "I didn't know" (Enron defense) and sacking some poor shlob to he/she leaves and takes the blame away. Nothing beats the risk of personally having to take the rap to focus someone's attention.

    It's a human problem - not technical.

  19. Doug

    high security posture ..

    "Every procedure we have, from mailroom to boardroom, was changed to fit a high security posture. It's now more secure than defense contractors I've worked at", @Tuomo Stauffer

    Does this posture results in computers that can't be hacked. If so would you please inform the the rest of the IT ECOSYST~1.

    Would that 'defense contractors' be running the same kind of systems as UFO nut Gary McKinnon, who got in using a keylogger and servers, all using the same default password.

    "This is all for PCI", @Tuomo Stauffer

    If you weren't secure before PCI, then what the heck were you doing processing credit card details?<br><br>

    "<i>This validation gets conducted by auditors .. Smaller companies .. are allowed to perform a self-assessment questionnaire</i>" PCI

    This had to be thought up by a lawyer or a bean counter. As I suspected, a bunch of forms .. :)

  20. Anonymous Coward
    Anonymous Coward


    Its possible to pass a PCI audit without being complient, they cant possibly check every server/PC in a single building never mind branch offices etc... much of the audits is along the lines of... "Is there unencrypted card holder data on that machine?"... Yes/No, all that is required from the company is a slight shake of the head and thats Ok for them.

    If properly implemented PCI would (and does in many cases) ensure better security for card holder data. But as has been said before its not just procedures that need to change, attitudes need to as well, staff need to understand why these procedures are put in place before they can be relied on to take the security seriously.

  21. Anonymous Coward

    Improper Icon Usage

    > Does this posture results in computers that can't be hacked.

    > If you weren't secure before PCI, then what the heck were you doing processing credit card details?

    You should use the JOKE ALERT icon. People might mistake these for serious questions.

  22. night troll

    Just what......

    ....was this guy to do? He had reported it to his managers they did not want to know, he reported it to the company they did not want to know so what's the next step? Go public! As he said his info is on those servers so he will be affected by this lack of security but he was in a position to do something and try to get it corrected.

    I suppose he could have gone to the credit card companies but would that have gone anyware? Probably not. In my experience the card companies are only interested in making sure they do not have to pay out for any attack on the system, it's a blame culture thing. They are only interested in shifting the blame and therefore the cost away from themselves not in the security breach itself. He was in a no win situation, but should be supported by the law in what he has done not penalised by it.

  23. Anonymous Coward


    Our PCI compliance was a self-audit.

    'nuff said.

  24. Dennis
    Thumb Up

    @ Nell Walton

    Thanks dude. That was a good read. I hope I never have to build off of your experience (though my gut says this will become more common in the future).

  25. Kevin Kitts

    Even more unbelievable the second (?) time...(long post)

    in order to change the practices, you have to change the culture.

    The managers want to optimize the workflow; i.e., do as little as possible to make things work smoothly. They cut corners (like passwords, etc.) because they are uneducated or uncaring about computer security.

    Well, it's time to re-learn about Darwin. Those who are most adaptable will survive. This concept is usually connected with cutting out the people at the bottom of the barrel. However, Darwin's concept also cuts out people at the **TOP** of the barrel. It cuts out those too idiotic to succeed, and also those who succeed too well (where the rest of the population usually gangs up on the rogue and takes them down as a threat to their way of life). If you were ever beat up in school for being a nerd or geek (too intelligent), you know what I'm talking about.

    Sound familiar? If you've ever heard the word "overqualified" with regards to a job interview (as I have several times), you're a victim of Darwin. Mediocre managers tend to get rid of employees smarter than themselves (and avoid hiring them at every opportunity). The other common phrase is "not a good fit for the organization". It used to be a case of intelligence alone, but now it's skill-related. If you know more about the security than the boss, and you tell them about it, they automatically think you're out for their job, they circle the wagons, start looking for things in your performance they can fire you for, and if that fails, they start making things hell for you in the hopes that you'll quit on your own. You're too smart for them to handle, and you're making them look like an idiot. And those kind of managers certainly are idiots, since they could just as easily take your brilliant discovery and make their own boss think it's their own discovery (and help the company in the process).

    So how, then, do you change the (corporate) culture? Some of the previous posters had good ideas, such as fining the company and firing the morons in charge of security. But other things are necessary, like independent audits and firing board members (or even entire boards where corruption and incompetence are rampant). Government regulation is also necessary, to prevent the entire company from going corrupt, and also to step in and take over the company (temporarily) if they're a risk to the nation's security as a whole. Once the problems are fixed and the workers are assessed on their performance, suitable replacements can be picked from the company workers, or brought in from outside the company. (In almost no case should a company be nationalized permanently, or completely disbanded as a hopeless case.)

    Some of you probably think I'm nuts with that last bit, but consider just how much hackers and thieves can get away with when they get millions of credit card numbers. Say, for instance, one million card numbers with a balance of 1000 [insert currency unit here]'s apiece. It's not a question of regulation, it's a case of grand theft credit card, when potentially billions of dollars/pounds/etc. are on the line, and if that money is lost, it can have a disastrous effect on the national economy.

    If you don't believe me, look at Exxon/Mobil's profits, and tell me they don't need strong governmental regulation - our US economy is (pardon the horrific pun) tanking right now because they're war-profiteering and price-gouging. Every sector is suffering greatly, because nobody has money to spend, and corporations pass their price-of-doing-business increases directly on to the consumer.

    The company who bought Bethlehem Steel made all of the steel worker's retirement contracts null and void, ruining the lives of hundreds of retired workers and those near retirement. Enron, Worldcom, the list of corporations blatantly breaking the rules has grown all too long (especially in the last 8 years). Those who aren't breaking the rules seem to be lobbying the government to change the rules to work for the corporations, and not the consumers.

    Basically, you have to change the **entire** culture, not just one part. Corporate culture is top-down, and that's the only place you can change it. Corporate whistle-blower laws aren't all they're cracked up to be. The only real way to do it is to make the government the top dog. Corporations only have allegiance to the almighty [insert currency unit here], so they have to be made to follow the law. Why put the government at the top? Because the government is (for the moment) still accountable to all of the citizens of the nation (and not just those who pay). Also, if the government doesn't do it, obviously the corporations won't police themselves effectively.

    Put it this way: if the US government threatened to nationalize Exxon/Mobil and fire the entire Exxon's entire board and corporate staff next time they had an incident like the Valdez disaster, you'd better believe they'd shape up fast. Remember, corporations are like children: they are nursed and grow up in the country where they were spawned, until they get too big and go out on their own. However, the analogy ends there, where the corporation beats up and spits on their parent country by behaving despicably (like all the above corporations, and so many more).

    For my final two cents, just keep in mind that corporations are like any gang; whatever their members do is done by the entire gang, so that they protect their members. The gang's responsible, not the gang members. Bullshit. If they want the entire gang to be responsible, then when they screw up somebody's life, you find **each and every gang member** and lock them up. That's what they wanted, isn't it? No personal responsibility, just group responsibility? That's how you fix the corporate culture. Hold them all to account. The profit of the company and the good of the company are two separate and distinct things, and every member of the corporation should be making sure the company does things for the good of the company (or it's their ass in the fire too).

    The feds really need to step in. Flame, because all the nations of the world will go down in flames if their governments don't get in there and get back the reins of power from the corporations.

  26. Frederick Karno

    Tuff break

    I feel for the guy involved but i have to thank him for pointing out this companies lack of respect for customers data.

    They are obviously arrogant enough not to care, but they will sit up and take notice if their banks tell them to get a grip.If all the people who had their details stolen had gone to the banks and demanded new cards it might have been a different story i certainly would have, but, people are complacent about their own security with an "it wont happen to me" attitude.As a warning it will happen and its only a matter of time so get your own act together people and dont use shops like this.

    Regulators have a role to play too but as toothless puppets they never seem to be around when they are wanted.

  27. Andrew Barratt

    PCI Compliance

    Theres a lot of chatter about PCI compliance being just something that gets in the way. But, its given a lot of security managers a very good business case for implementing proper security measures over card data. I've worked as a PCI QSA and have worked with several organisations that have struggled with com pliance and security. Whilst its true that the auditors can only look at what is disclosed, they should be involved in scoping out the infrastructure for compliance.

    Just remember compliance is not security.

  28. Anonymous Coward

    So, you think PCI is a joke. What's your alternative?

    It's not whistelblower protection. That's closing the barn doors after the horses are gone.

    It's always amazing to see complaints, but no solutions.

  29. Anonymous Coward
    Anonymous Coward

    @BillPhollins RE: PCI Compliace

    If i remember right the the hackers managed to get software on the tills that got the card details before it was encrypted

  30. Dan Goodin (Written by Reg staff)

    @BillPhollins RE: PCI Compliace

    AC, I think you're confusing the TJX breach with a different breach. TJX secured its network with WEP, allowing the intruders easy assess. TJX also held on to data well after it should have dumped it.


  31. This post has been deleted by its author

  32. Anonymous Coward
    Paris Hilton

    @Anonymous Coward

    Any half way decently run company wouldn't have given him anything to talk about 'out of school' or would have in place procedures to investigate and fix problems like this, frankly, I'd be looking to fire a *lot* of other people instead of the whistle blower. Don't forget, he didn't expose any data or anyone's details, he just told about the lack of security because nobody in the company would listen.

    Paris. Someone else beat me to the penetration testing line but it's still there in spirit.

  33. paulc
    Thumb Up

    asses on the line...

    Peter... "The moment you pull directors from behind that legal shield a company represents and make them PERSONALLY liable for such offenses, THEN matters will change.

    The guys at the top need to know that they are going to get personally hit before they will act, at the moment it's still too easy for incompetents to hide behind "I didn't know" (Enron defense) and sacking some poor shlob to he/she leaves and takes the blame away. Nothing beats the risk of personally having to take the rap to focus someone's attention.

    It's a human problem - not technical."

    yup, he's right... this is why companies pay so much attention to health & safety regulations because their asses are on the line...

  34. TeeCee Gold badge

    @Kevin Kitts

    If you really believe that Government is even remotely capable of a) legislating / controlling this correctly or b) understanding the issues involved, you really are terribly naive.

    To get an idea of the Governmental approach to complicated issues, make a famous phrase or saying containing all of the following words: Arse, Using, Map, Hands, Torch, Both, Find, Own, Can't, Without.

  35. Anonymous Coward

    PCI standards guy bribed to sign them off by any chance?

    For some things, there's proper auditing, skill, the correct attitudes and so on.

    For everything else, there's mastercard.

    (For details, see TJX systems.)

  36. Slaine

    Darwin, as expanded by Kevin Kitts.

    Oh yes indeed. I Remember being told after an UNsuccessful interview that the "real" (as in pathetic disney cartOOn version) reason that I was not offered a position was that the manager interviewing me knew that I out-qualified him, out-performed him and would likely have his job within 18 months.

    I remember too being taken aside after a successful interview and being told that the panel openly expected me to be gone within 2 years (on to greater things) but that they believed the work I could achieve in that time would far outweigh the cost of interviewing a replacement.

    But what we have here, pervasive throughout society, industry and government (yes, lizard-bashing time again) is nothing to do with the Darwinesque "survival of the fittest" (AKA best adapted for the situation, not necessarily the brightest, strongest, fastest or most appropriate) but more akin to Dawkin's "Selfish Gene" in which we, as individuals, are compelled to do that which most benefits "our own kind", be that siblings, family, those we consider our "brothers (Oh fek, AND sisters, and non-gender/race/ability specific homies)".

    Sadly, the human species has now diverged. The bulk of control now resides squarely in the hands of the sub-intelligent, narrow-minded, poorly educated, mentally stunted average. They have no spark. They lack insight, they lack inspiration and, most dangerously, they know it. In order therefore to protect their own survival, they are compelled to ensure that the gifted among us are never given an opportunity to excel (OMG - isn't that an interesting one-word oxymoron?) as the result MIGHT impinge on their own success.

    And so here we are, employed, controlled and governed by the monkeys, leeches and lizards; watching (and metaphically weaping) from a position of impotent observer as the entire global economy collapses. We've recognised the problem for decades, we're suggested ways to alleviate the problems, we've been ignored at best and persecuted in practice.

    There are laws in place to prevent abuse of the law, but only if you belong to the correct species.

  37. Rune Moberg

    using modern technology to protect the ancients

    The technology employed by the card companies is what, 50 years old? We have a plastic card with numbers printed on it. Every time I pay for gas, someone can memorize those numbers. When the waiter disappears out the back to process my card, he can simply put the thing in a photocopier and use those numbers just as if he had hacked into a server somewhere holding that information. (or, since most restaurants don't have a handy photocopier, he could photograph the card using most mobile phones)

    Something is very, very wrong with this picture.

    Norwegian web shops are required to use a centralized payment system. When completing a transaction, I am redirected to a separate server which verifies who I am by requiring me to use the same log in credentials I use to access my bank by web. This means an attacker has to steal my key generator, guess my PIN code for that thing, as well as cough up the usual information like card code and expiration date. Granted, the four digit PIN code is guessable, but I believe the thing shuts down permanently after three failed tries.

    That is at least one step in the right direction. The web shops here never get access to my credit card information. Using my mastercard in non-virtual shops/restaurants around here is still a gamble though. Specially abroad.

    I realise it will be difficult to implement such a system on a global scale, but by George, they have to do *something*! Smart cards were believed to be _the_ solution twenty years ago. Whatever happened to those?

    "PCI" is not a solution. It only underlines some of the challenges faced with the present outdated system. I have to trust a bunch of 18-year olds every time I use my card? Fsck that.

    Incidentally, last week I tried to withdraw cash from ATMs in Belgrade. The machines refused to accept my Mastercard. I wasn't in any real need of cash (staying with a friend), so I never got around trying my Visa card, but even that failed me a year ago. I.e. the current system work poorly at best.

  38. Anonymous Coward
    Anonymous Coward

    So much for the application of ...

    SARBOX regulations. I understood - evidently wrongly - after Enron, when some of the thieves had been brought to book, that the act of Messers Sarbanes and Oxley was passed into law and required the financial information processing systems of US-trading companies with more than 25 (or was it 50?) US shareholders be secure and audited.

    Clearly, silly me must not be in tune with modern approaches to information systems set up. Surely no CFO of a major US corp would be silly enough to want Federal porridge to help build their strength in one of those nice US correctional facilities. How many other US Corps pay lip service to SARBOX? How many paid auditors let this sort of stuff pass? What happens in systems of companies based abroad?

    Its all rather sad and predictable, if not evidently detectable. Regulations are in place - penal enforcement isn't ( except for the "little people")!

  39. John Dougald McCallum

    @ Kain Preacher

    That sort of money is Petty cash to this company X10 and you might get their attention

  40. John Dougald McCallum

    Server secutiry

    I worked for a plastics company as a QC operative for three months (temp)

    and they changed the password twice on the stockcontrol servers in that time that I know of

  41. Anonymous Coward
    Anonymous Coward

    A security model that trusts merchants is fundamentally unsound

    The mag stripe card payment security model assumes that 10s of millions of merchants and merchant employees can be trusted. But it is completely implausible that such a number of people have the integrity, diligence and expertise to protect the system against fraud.

    There was a cryptographic payment protocol, SET, that was developed by IBM, Visa and Mastercard for use by chip card holders. The identifying secrets never left the card, and the merchant received no information that could be used to commit fraud.

    It seems to have pretty much disappeared. One of the objections to it was from merchants, who wanted to get the card number so they could use the number as a customer identifier in their systems.

    Possibly, given the cost of PCI and the reputation risk involved with acquiring cardholder numbers, merchants might be more agreeable to adopting SET or a similar protocol.

  42. Miami Mike

    Advantages of paying cash

    no interest payments or annual fees

    no reason to fear the postman because he might be bringing you bills (again)

    no audit trail - buy whatever you want, where ever you want, no tracking

    no problems with authorization, credit limits, exchange rates, surcharges

    limited liability - if you lose some cash, its is gone - if you lose your credit cards you get to call all of them, file endless reports, prove it wasn't you who bought a new car, fight with all the issuers for new ones, risk your credit rating

    cash is identity theft proof

    cash leaves no computer trail to incriminate you

    NO DEBT!!!!! That is the real freedom.

  43. Anonymous Coward

    @ Miami Mike

    Way to go dude!

    100% correct of course.

    CC are for the sheeples!!

  44. andy


    How did they reveal Mr Mauler's online anonymity? A subpoena?

    Time we all started to be more careful about covering our tracks...

  45. TrishaD


    The day someone invents a technology that allows me to shove £5 notes into a USB slot on my PC, I'll consider cash as a serious competitor...:)

    Back to the topic however,,,

    PCI is actually a very useful and pragmatic standard and, if implemented rigourously and with committment, can be of considerable value. I think that the issue of enforcement however is a very real one and we certainly dont seem to be seeing the imposition of serious penalties for non-compliance. Not only are merchants reluctant to step up to the mark (understandably because it costs money) but acquiring banks seem not to be that tough at enforcement either. Add to that the fact that Visa (for example) are owned by the banks and financial institutions that constitute its membership, then you may have some clues as to why merchants arent being penalised as they should be...

    But PCI is only a technical standard, and the issue here isnt really about technology, its about an organisation who evidently still have a totally cavalier approach to their customers' data and have paid lip service only to the protection of that information. A perfect example of this is that the employee in question, having raised his concerns with line management, got no response and felt obliged to play whistleblower.

    All the technical compliance in the world is no substitute for the genuine management of information security. Had TJX taken security seriously at all, then there should have been processes in place to allow people like him to report securiy breaches and have them acted upon. Its this sort of senior management oversight that Sarbanes - Oxley was intended to assure and where it consistently fails to do so. Sarb-Ox is sadly a complete camel, a knee-jerk reaction to public outcry over Emron and appears to have added little value other than to the stock value of the large consultancies. ISO27001 addresses the requirement quite well but, like PCI, lacks teeth.

    The earlier comment regarding UK Health & Safety legislation was a good one. Employers who demonstrate that they have failed in their duty of reasonable care for the welfare of staff are guilty of a criminal offence and, yes, that does mean the prospect of emprisonment for named individuals in positions of responsibility.

    Organisations like TJK who continue to play fast and loose with customer information could do with something similar to focus what passes for their minds .......

  46. Anonymous Coward

    Stay low and get out while you can,....

    Am amused by the tone of some of the postings. I had a major battle with my last employer over constructive dismissal and it turned into a nasty fight. Would have been easier and cheaper to bow out early before it got too nasty.

    If you find something wrong, take a good long look at it, get some records to cover your arse and then get out quietly. Too much ego or naivety can send you into political "alligator swamps" that you may never escape from.

    No-one likes employing martyrs.

  47. Anonymous Coward
    Thumb Down

    What qualifies this guy to know anythinga about the PCI compliance of the company

    TJ Maxx isn't non-compliant just because this joker has access to unprotected systems. If those systems don't have access to the payment network or to records displaying the entire credit card number then TJ Maxx is compliant. They may be leaving their door open to having their store support systems compromised without compromising the payments. If the systems are out of the scope of the pci related systems then it doesn't matter. Congratulations mister college student TJ Maxx STORE employee. You screwed yourself out of a job leaking information that is probably irrelevant to the security of the credit card transactions.

  48. TrishaD

    @ AC

    I'd find it hard to believe that TJX would be vigilant about protecting one area of their network (the bit that holds credit card information) and at the same time be extremely lax in protecting another production network component.

    Usually people either protect their networks or they dont. Were I an auditor (which, thank goodness, I'm not) the phrase 'Underlying control weakness' would spring to mind........

  49. Chad Larson
    Dead Vulture


    They got into the TJ Maxx (and therefore Marshall's and Bob's and others) by camping outside a store with a laptop, cracking the simple WEP key the store was using, and intercepting the data transfers between the wireless in-store terminals and the store back room system. The eventually got enough authentication information to log into the store's system. From there they created hidden back door accounts and started collecting information for them to get into the home office central computers. And from there, copied credit data on almost 100 million people.

  50. Nigee

    wriggle room

    PCI DSS leaves a lot to be desired as a 'standard', there's several ambiguities and some will argue that it's no more that a lawyers' bean feast to enable the card companies to offload liability. The fact that the 'standard' is crappy doesn't stop companies using compliance with it as a PR smokescreen. It's a beautiful concept a shonky standard that gets the corporate players of the hook leaving the poor old card holder with the problem.

    As for fines, the acquiring bank can fine the company, but the real financial penalty is the $25 + 5 per card that card issuing banks, etc, can charge the offending company. 94M x $25 is not an insubstantial amount. So what's stopping them?

  51. TrishaD


    What's 'shoddy' about it?

This topic is closed for new posts.

Other stories you might like