TJX Defense: Everybody Was Doing It

Written by Evan Schuman
October 18th, 2007

As the latest TJX saga–the banks versus the retailer—unfolds, I can’t help be reminded of driving along a major New York highway. Cars are speeding through every lane. "What are the chances that, with all of these cars speeding, the police will nab me?"

As the legal arguments start to unfold—as they did this week in a Boston federal courtroom—there is little discussion yet about responsibility to protect cardholder data. Most of the TJX defenses seem to be variants of "Everybody was doing it, so why pick on me?" As the state trooper would reply on that New York highway, "Because you got caught."

A major element of this case is proving fraud. To do that, lawyers for the banks are going for a sin by omission approach. By not having told MasterCard, Visa and others that their security was, in the words of U.S. District Court Judge William Young, "antiquated and deficient," it tricked those card companies into letting them continue to accept credit cards.

TJX’s response in court was both cynical and regrettably true. To paraphrase: "Oh, come on. Cut me a break. Everyone—and especially Visa and MasterCard—know how terrible the security was at all of the major retailers. So to say now ‘we were had’ is ludicrous."

Instead of paraphrasing, let’s listen to the exact words ofBreck Weigel, one of the attorneys for TJX card processor Fifth Third Bank: "We have a very broad record here, a number of depositions of these issuing banks. They attended meetings where Visa and MasterCard specifically pointed out to them there are merchants out there storing Track 2 data. Visa and MasterCard specifically pointed out to them there are a number of merchants who are not PCI compliant," Weigel said. "So not only do we have the name plaintiffs in this case who attended these meetings and would not have replied upon any authorization, security assurance as we call it, but obviously large financial institutions who are on the board of directors of Visa and MasterCard, certainly they are not relying upon issuing banks or acquiring banks or merchants as to some authorization. That just simply doesn’t exist."

Interestingly enough, TJX’s attorneys are using the extreme severity of the TJX data breach to argue why TJX shouldn’t be punished. In what is widely considered the worst ever data breach reported, the retail chain in January disclosed that the credit card data of some 46 million consumers fell into unauthorized hands in a series of penetrations from July 2005 to December 2006.

One could point to the long duration of the unnoticed databreaches as evidence as somebody being less than attentive to security. But TJX is using that long duration to say that too much changed during that time period.

When it started, PCI was barely real and no one was taking it very seriously. (Are they taking it seriously today? Well, no, but that ruins my point. Stop distracting me with context.) Here’s a wonderful line from TJX attorney Richard Batchelder, referring to the PCI Council. They’ll "say you’re going to have to move to this standard by such and such a date. And so there’s this entire period of time when there’s a standard out there, but you don’t have to comply with it until Visa or MasterCard says you have to comply with it."

TJX’s official position is that they ignore the PCI Council Babysitter until Visa Mom or MasterCard Dad get home? Candor is a wonderful gift.

In civil litigation, the vast majority of cases settle out of court. TJX had better hope this one does. If they ever have to face an emotional jury of–*gasp*!—consumers, they may find that trier of fact not nearly so forgiving. Judge’s instructions notwithstanding, they may not clear TJX because of the rampant security carelessness of consumer’s financial data. They may actually punish them for it. Silly consumers. Don’t they know the law?


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.