Security experts say banks that are suing TJX Cos. Inc. over the data breach that compromised more than 94 million credit card accounts should accept more of the blame for what happened. By requiring that merchants store credit card transaction records for up to 18 months, they say, banks are putting companies like TJX at heightened risk of attack.
Others debunk that assessment, saying there's confusion over the storage rules and that TJX and other merchants opened themselves up to network break-ins by failing to institute well-rounded security policies.
Earlier this month, the National Retail Federation (NRF) sent a letter to the Payment Card Industry (PCI) Security Standards Council asking for changes in how the credit card industry requires merchants to store credit card data. NRF Chief Information Officer David Hogan wrote that retailers should not have to store credit card numbers.
In an interview Tuesday, Hogan said all merchants need to prove a transaction took place is the transaction authorization number. In addition, Hogan said Visa and MasterCard should release a statement declaring merchants immune from bank imposed fines for failing to store credit card data.
"The key is to take away the attacker's target," he said. "Credit card data belongs behind the firewalls of the banks and the credit card companies, not in the merchants' hands."
Gartner analyst Avivah Litan agrees with the NRF and said banks need to take more responsibility for their role in the data breach problem, she said. Specifically, banks deserve some of the blame for requiring that merchants store credit card transaction records.
"The banks want to push all of the cost off on the retailer," she said. "They're being hypocrites. That they require the 12-18 months of storage helped create some of the problem to begin with. They need to share responsibility and change the whole payment system."
Not everyone agrees. Some IT professionals say the bigger problem has been a lack of layered defenses at TJX and elsewhere. The problem isn't necessarily whether sensitive data was stored, but whether strong enough defenses were in place to protect it in the first place.
Should banks accept more blame?
The transaction process between the banks and the merchants is in need of an overhaul, Litan said. It's Gartner's position that the NRF's request that merchants be permitted to retain only abbreviated transaction information is a practical and useful step toward improving the security of sensitive customer data, she said.
"We believe it is far more realistic to change these payment protocols than to expect approximately 6 million U.S. retailers (and more than 20 million worldwide) to properly protect card data," she said, advocating a process where the "payment players" store the data instead of the retailers.
Massachusetts Bankers Association communications director Bruce E. Spitzer sharply disagrees with Gartner's position. He said the association is declining interviews regarding the banks' lawsuits against TJX, but when told of Litan's belief that the banks are partly to blame, he said in an email that "the analyst is wrong."
Spitzer's view is shared by others specializing in the review of companies' PCI DSS controls. One auditor, who asked not to be identified because he is involved in the TJX investigation, said both the banks and the retailers have some misconceptions when it comes to what can and can't be stored after a credit card transaction.
Merchants do not need to store a full credit card transaction record, he said, but some banks mistakenly tell them they must. Also, many retailers purchased point-of-sale systems that store more data than necessary, he said.
"Once the merchant gets an authorization code, that and the dollar amount is really all they need to prove a transaction happened," he said. "This is an attempt to shift the cost from the merchant back to the bank."
Even if merchants were required to store the full transaction record for 12 to 18 months, the auditor noted that TJX and other companies audited after a data breach have been storing many years' worth of unencrypted data.
Storage debate misses the point
Two IT professionals, Paul Schmehl and Dave Bixler, said the push and pull between merchants, banks and credit card companies is drowning out a basic lesson about the data breach problem: Companies that fail to implement layered IT security procedures will eventually suffer the consequences.
"If you ignore commonly-accepted best practices you can expect to be hacked. It's really that simple," said Schmehl, an adjunct information security officer for the University of Texas at Dallas. "How does the length of time data is stored impact its security? You either maintain a secure network and engage in best practices or you don't, and the length of time that data is stored is a minor element in the equation."
At any given time, he said, some data will have been stored 18 months and some will have been stored a day. When the break-in occurs it doesn't matter to the customer if the data was held 18 months or 18 minutes?
"No," he said. "What matters is that the company did not prevent the break-in."
The TJX break-in wasn't caused or exacerbated by data retention requirements, he said, adding, "The only thing data retention policies affect is the amount of data that is exposed to risk. In that sense, [Litan] is correct. Shorter retention times would reduce the size of the exposure but not its severity."
Defense-in-depth most important
Bixler, CISO for Siemens Business Services Inc., a subsidiary of Munich-based Siemens AG, agrees there's a need to modernize the security surrounding credit card transactions, but that the TJX breach was simply a text-book case of a company not practicing defense in-depth.
"The details of this breach are not a case of brilliant, cutting-edge hacking, it was a case of antiquated infrastructure," he said. "Industry has been talking for years about the fact that the 'build-a-wall-around-the-network' approach to security doesn't work any longer, yet many companies still rely on it."
TJX's biggest problems were a lack of wireless security and network segmentation, not to mention a lack of intrusion detection and of understanding of what was going on in the network.
"Some of the traffic anomaly detection tools, coupled with a good IDS system, would at least have notified them of the breach and allowed them to take corrective action," Bixler said. "Instead it appears that once the attackers breached the perimeter, they essentially had free reign on the network."
With that in mind, Bixler and Schmehl believe the breach was going to happen regardless of how long banks require that credit card records be stored.