TJX Exec Backs Chip-and-PIN, Encryption Through Private Networks

A TJX senior executive is apparently trying to push chip-and-PIN, arguing that cyberthieves are focused on the United States partly because we haven't adopted it.

"Criminals, I believe, are focusing on the countries that haven't added that higher level of security," TJX Vice Chairman Donald G. Campbell said, according to this Boston Globe story.

The exec at the chain that has become—fairly or not—the poster child for bad data security procedures also endorsed the approach suggested by former Hannaford CIO Bill Homa, namely that payment data should be encrypted as it's transmitted to banks, regardless of whether the company uses a public or a private network.

This is an interesting debate. There's little question that both moves would improve security, but the cost and change required will also make them almost impossible to deploy. As TJX execs know better than anyone, market forces to push such change are essentially non-existent. Even Visa has said that the money could be spent better in fraud alerts and early detection.

The problem is that the Visa approach is reactive, and it reflects that the company has already surrendered, conceding that the thieves will successfully penetrate. Sadly, that's probably not an unwarranted assumption.

Campbell also defended TJX's role in the credit card industry's worst-ever data breach, saying that it's security wasn't much worse than other similarly-sized retailers and that it was likely better than a lot of smaller merchants. Although true, that's hardly something to crow about.

The federal charges had only one of the retailers even detecting any of the repeated large-scale intrusions and none was able to stop any. If that was my record and I was a security guard company, I think I'd avoid using it as a case study.