TJX Exec Backs Chip-and-PIN, Encryption Through Private Networks

Written by Evan Schuman
September 3rd, 2008

A TJX senior executive is apparently trying to push chip-and-PIN, arguing that cyberthieves are focused on the United States partly because we haven’t adopted it.

"Criminals, I believe, are focusing on the countries that haven’t added that higher level of security," TJX Vice Chairman Donald G. Campbell said, according to this Boston Globe story.

The exec at the chain that has become—fairly or not—the poster child for bad data security procedures also endorsed the approach suggested by former Hannaford CIO Bill Homa, namely that payment data should be encrypted as it’s transmitted to banks, regardless of whether the company uses a public or a private network.

This is an interesting debate. There’s little question that both moves would improve security, but the cost and change required will also make them almost impossible to deploy. As TJX execs know better than anyone, market forces to push such change are essentially non-existent. Even Visa has said that the money could be spent better in fraud alerts and early detection.

The problem is that the Visa approach is reactive, and it reflects that the company has already surrendered, conceding that the thieves will successfully penetrate. Sadly, that’s probably not an unwarranted assumption.

Campbell also defended TJX’s role in the credit card industry’s worst-ever data breach, saying that it’s security wasn’t much worse than other similarly-sized retailers and that it was likely better than a lot of smaller merchants. Although true, that’s hardly something to crow about.

The federal charges had only one of the retailers even detecting any of the repeated large-scale intrusions and none was able to stop any. If that was my record and I was a security guard company, I think I’d avoid using it as a case study.


6 Comments | Read TJX Exec Backs Chip-and-PIN, Encryption Through Private Networks

  1. Chris Allan Says:

    “….but the cost and change required will also make them impossible to deploy…”

    Well, this was deployed across the whole of Europe in about a 12 month period, and while there were moans and groans from some retailers and customers, adoption is ubiquitous now, with the elimination of personal checks and a faster turn-around at the POS.

    This has also been deployed beyond retail – every time you use a card in Europe you use the PIN, so to say that the cost and change required would make this impossible to deploy is simply not true.

    Contrary to your statement on there being no market forces to push this and Visa saying it is not effective – Visa are one of the backers of the EMV standard. The initiative is driven by the market forces of the banks and their drive to reduce fraud losses, through pushing the liability of the transaction back to the retailer.

    I think you will find that once they are liable for fraudulent transactions, that this provides more than enough incentive for the retailer to implement chip and pin.

  2. Evan Schuman Says:

    Editor’s Note: You make a very fair point. What we had intended to say is that the industry/political realities in the States make this quite unlikely. No one–including Visa–has been pushing this hard in the U.S.. This would have huge potential, but it would need the backing from quite a few players and I haven’t seen any hint of this yet.

  3. A reader Says:

    The problem with Chip-and-PIN is that it doesn’t go quite far enough to fully protect retailers. Retailers are still responsible for providing secure PIN-entry terminals, and criminals in Europe have already started placing counterfeit terminals in stores. Thus retailers are still handling secure data, and still remain in the loop for fraudulent card use.

    If smart credit and debit cards were used in conjunction with a customer-owned handheld PIN keyboard (such as the Digipass system) then all security would rest in the hands of issuers, and the retailers would be freed of the security burdens surrounding credit. PCI DSS wouldn’t be necessary. PCI PED wouldn’t be necessary. And the extra cost for replacing terminals to work with Chip-and-PIN wouldn’t be necessary, either.

    Of course, that’s not likely to happen until retailers examine and understand the costs, and then organize their efforts to move the PCI in that direction.

  4. Evan Schuman Says:

    Editor’s Note: A Reader is absolutely correct (As A Reader tends to be). In short, this is part of the overall argument that retailers are good at doing a lot of things, but security isn’t one of them. Getting the banks and consumers to take over data responsibility is the ideal.
    Which, of course, means that it will never happen. Too many powerful players that don’t want it to happen.

  5. Jim Says:

    One doesn’t need to deploy chip-n-PIN to make payments much, much more secure—the PCI SSC simply needs to require end-to-end encryption for all payment data starting at the PED, regardless of whether the underlying network is considered “public” or “private”. This is what already occurs with PIN data today. To be sure, there are many, many significant deployment issues that would need to be overcome to make this happen—but I can’t help but believe that this requirement will become part of PCI DSS at some point in the next five years.

  6. Ed Wilson Says:

    Most that you’ve said is correct. But encryting from end-to-end isn’t a solution too. You can grab card information before, it gets encripted. I saw a lot of violated terminals, where the data were stolen prior getting encripted. It was possible getting the PIN, by mapping the keyboard matrix. It’s a hardware “hacking”. Even PCI PED, doens’t look at all design failures on the terminals. It’s possible to put a bug in every terminal in the market. I’ve seem a lot, on Verifone and Ingenico terminals (just to name a few vendors)

    Even if you use Chip, it’s possible to cheat the authorization system (based on the deployment). I saw a lot of frauds involving chip-and-pin approach. I’m not saying that the chip was broken (at least yet, but the criminals are studing the “how-to”), but there are several ways to cheat with the authorization systems.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.