Federal Trade Commission Misunderstands Card Data Privacy.
Rethink PCI Law.
The TJX credit card data break-in is reputed to be the largest in history. On the heels of the incident, many credit card issuers replaced cards believed to be compromised. To replace cards is expensive (not to mention disruptive to consumers), and many card issuers demanded, through lawsuits and otherwise, that TJX reimburse them. December 2007 TJX settled one class action lawsuit with issuers of affected VISA cards, agreeing to pay $41 million. Dow Jones Newswires, "TJX Gets Over 95% Acceptance Of VISA Settlement Agreement," December 20, 2007. May 2008 TJX said it had support for settlement with Mastercard issuers for $24 million.
The Federal Trade Commission concluded that TJX had maintained inadequate controls to protect credit card data and had therefore committed unfair trade practices. Consequently, the Commission has punished TJX by requiring it to adopt new controls (in the vein of the PCI - Payment Card Industry Data Security Standard) and file extensive paperwork with the government for years to show that the controls are in place.
That's the background. Now think about this . . . August 2008 federal authorities announced indictments of the ring of criminals at the heart of the TJX heist. The ring had stolen data from both TJX and many other retailers. According to authorities, the criminals used stolen data to withdraw tens of thousands of dollars at a time from automated teller machines. Their ATM withdrawals added up to hundreds of thousands of dollars.
Further, last year six people were convicted in Florida for using data, apparently stolen from TJX, to buy gift cards and goods worth AT LEAST ONE MILLION DOLLARS. Jon Swartz, "11 Charged in TJX Identity Theft," USA Today, August 6, 2008.
Do you see an imbalance here? TJX settles with VISA & Mastercard issuers for $65 million, whereas the actual reported fraud is only a tiny fraction of that amount. Further, when card issuers canceled all those cards, they alarmed and inconvienced millions of cardholders to excess.