Now we are learning that the TJX security breach went as far back as 2003. See a great article in InformationWeek We are in 2007! What were they thinking? Was this a case of knowing and not disclosing? Or not knowing? I think not knowing. Amazingly, a post on the F. Curtis Berry & Company blog says Gartner analysts estimate less than 50% of Level 1 merchants are compliant with PCI. Maybe it's not knowing and not caring.
The question in the end will be, who really paid the price for the TJX data breach? Well, it's not the credit card company. They're protected. The banks who have to pay $30 for every replacement card certainly think they're a victim - hence the line of lawyers lurking outside some courthouse near TJX headquarters in Massachusetts.
Evan Schuman makes an interesting point on who is the REAL victim in his StorefrontBacktalk post.
What do you think of all this?
Comments