THIS STORY HAS BEEN FORMATTED FOR EASY PRINTING

Could this chip have prevented the TJX breach?

Firm targeted in scheme joins debate on security, arguing electronic system used overseas is worth the cost of installing it in America

By Ross Kerber
Globe Staff / August 31, 2008
  • Email|
  • Print|
  • Single Page|
  • |
Text size +

TJX Cos. is urging banks and other retailers to embrace a multibillion-dollar technology that uses a tiny computer chip to stop criminals from using stolen debit and credit cards.

In one of the first interviews by a top TJX executive following a record security breach, vice chairman Donald G. Campbell told the Globe that the US payment system should follow countries in Europe and Asia that have rolled out credit and debit cards embedded with computer chips. If the cards were in use worldwide, he said, the technology would have ruined a scheme in which thieves stole as many as 100 million account numbers from TJX since 2005, by making the numbers harder to reuse.

Amid rising losses to fraud, the remarks add to a debate among merchants, banks, and payment companies over how to improve the security of the 1 billion plastic cards held by US consumers. Many other countries already have introduced the high-tech cards that slide into special readers at the checkout counter. But the technology hasn't caught on in the United States because of the high costs, and TJX says that puts the country at a greater risk for fraud.

"Criminals, I believe, are focusing on the countries that haven't added that higher level of security," said Campbell, TJX's third-highest operating executive.

TJX discovered the breach at the end of 2006, drawing wide attention to payment card security issues. TJX estimates it spent $202 million related to the breach including security reviews and settling consumer lawsuits - a number reduced from an earlier estimate of $256 million by insurance payouts and other factors.

On Aug. 5, the Justice Department unsealed indictments against a group of Florida men and others in connection with the intrusion. An attorney for one of the alleged ringleaders, Albert Gonzalez, has said he will deny wrongdoing. The indictments allege the group used wireless connections to tap into two Marshalls stores TJX operated in Miami. Prosecutors also alleged the group compromised the security of other retailers including BJ's Wholesale Club and OfficeMax, tying together some of the best-known intrusions to date.

The TJX breach still appears to have been the largest, and the company's reaction was closely watched among security experts. As part of a settlement with Visa Inc. last year, TJX agreed to speak out more about security improvements.

In his comments to the Globe in an interview and follow-up e-mail statements, Campbell talked about the need for better security and addressed other lingering questions for the company.

To Canadian regulators and others that say TJX should have had better security on its network, Campbell said that TJX "believes its security was comparable to most other major retailers and generally better than retailers who are not as large."

Also, that other companies aside from TJX allegedly were targeted "clearly indicates that the challenge of securing customer data is not necessarily about any one retailer," he said.

To prevent another major breach, he said, there needs to be more cooperation among retailers, banks, and card companies to create more defensive measures. One way to do this, Campbell said, would be more encryption of payment-card data as it is shipped between retailers and banks, a step some data specialists have suggested as well. The additional encryption would make it harder for thieves to steal account numbers.

Campbell also proposes that card companies, banks, and retailers share the costs of upgrading to a "Chip and PIN" system. The name refers to the computer chips embedded on payment cards and the personal identification numbers required to authenticate purchases made with those cards.

The chips store customer account details that traditionally are encoded on magnetic stripes on the back of cards, such as names and account numbers. While most Chip and PIN cards also have these stripes to use with older-style checkout readers, they are seen as more secure than traditional cards because the chips make them harder to copy onto counterfeit cards.

Such an upgrade would likely cost billions to introduce in the United States, industry specialists estimate, including around $2 for each new credit card and up to $500 for each of merchants' 12 million card readers. TJX alone could spend as much as $20 million, Campbell estimated. The costs could be even higher for companies that don't already operate overseas stores, as TJX does with its TK Maxx stores in the United Kingdom, Ireland, and Germany.

A central question is how much spending is worth it to offset losses to fraud. David Robertson, publisher of The Nilson Report, a trade newsletter that tracks the payment industry, estimates that $1.24 billion was lost to fraud in 2007 in the United States, up from $1.14 billion in 2006. But in both years, that works out to just 5.7 cents for every $100 that customers charged on their credit cards. Worldwide fraud was $5.68 billion, or 4.8 cents per $100 spent.

For the industry, those fraud levels are "completely manageable," Robertson said.

Fraud losses would have to nearly double before many would consider more spending on security measures, Robertson said. At a time when major banks face pressure to preserve their capital, few have the funds to upgrade their plastic.

Brian Triplett, a security executive for the biggest payment network, Visa Inc. of San Francisco, said the company's statistics also show low levels of fraud, roughly one in every 10,000 transactions.

Rather than replacing all the 12 million card readers in the United States with ones that could handle the Chip and PIN standard, Triplett said the money would be better spent on other fraud-fighting technologies. For instance, Visa in August began a trial of a service that beams text messages to the cardholders' cellphones within minutes after a purchase, which would help spot fraud quickly.

Additionally, both Visa and MasterCard have rolled out "contactless" payment cards that can be waved in front of a smart-card reader without a customer having to physically swipe or insert the device into anything. The cards contain chips that generate a unique code for every transaction, making them harder to use for counterfeit schemes. They also are more effective than Chip and PIN at combating other types of fraud, such as when cards are intercepted in the mail, or fraudulent purchases made online, Triplett said.

Triplett says there's little evidence of foreign chip use driving fraud here. But Apacs, the British payments association, found in a recent study that while counterfeit card fraud fell 32 percent from 2006 to 2007 in the United Kingdom, counterfeit fraud involving British card numbers used abroad more than doubled in the same period. The Nilson report blamed criminals who used stolen data in countries that don't use Chip and PIN, especially the United States. "As the rest of the world upgrades to Chip and PIN, it will become increasingly difficult for fraudsters to use fake magnetic stripe cards overseas," the report states.

Chip and PIN systems were first aimed at countries where weak telecommunications systems made it harder to authorize purchases at the checkout counter. But past experiments in the United States have flopped, and trade groups have mixed reactions to the idea.

Nessa Feddis, senior counsel for the American Bankers Association, said its members could be split, with banks that issue payment cards to consumers possibly supporting the idea while banks that process transactions for merchants could balk at the costs of new card readers.

David Hogan, chief information officer of the National Retail Federation, said a cheaper step could be to require PINs for all credit purchases instead of signatures, which are more prone to fraud.

Dan Gingras, technology consultant for Tatum LLC in Newton, said he expects growing fraud will force some sort of upgrades to US payment cards, such as incorporating images of a person's thumbprint on cards to make sure the user matches the cardholder. The harm of fraud isn't only the total dollars lost to fraud, he said, but also the risk to retailers' reputations and the loss of shoppers' confidence when a breach occurs.

"If you're not doing that part of the equation, then your cost-benefit analysis is flawed," he said.

Ross Kerber can be reached at kerber@globe.com.

© Copyright 2008 Globe Newspaper Company.
  • Email
  • Email
  • Print
  • Print
  • Single page
  • Single page
  • Reprints
  • Reprints
  • Share
  • Share
  • Comment
  • Comment
 
  • Share on DiggShare on Digg
  • Tag with Del.icio.us Save this article
  • powered by Del.icio.us
Your Name Your e-mail address (for return address purposes) E-mail address of recipients (separate multiple addresses with commas) Name and both e-mail fields are required.
Message (optional)
Disclaimer: Boston.com does not share this information or keep it permanently, as it is for the sole purpose of sending this one time e-mail.