Is PCI Non-Compliance Legally Wrong?
What is Reasonable Computer Security for Credit Card Data?The Federal Trade Commission should rethink the law of credit card data security applicable to merchants like TJX. As a consequence of the data security breach TJX disclosed in 2007, TJX and the FTC entered a settlement requiring TJX for the next 20 years to engage in an expensive, government-supervised data security program. The program entails the maintenance of controls and extensive paperwork reporting about those controls to the FTC.
According to FTC, the grounds for its action against the retailer were that TJX had engaged in "unfair practices" in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a).
The "unfairness," according to the FTC, was that TJX collected private credit card information from consumers, but failed to use adequate security procedures to protect it. This resulted in compromise of tens of millions of credit card accounts. By declaring that TJX was "unfair," FTC implied TJX had been bad. In other words, FTC found the TJX incident was worse than just unfortunate or embarrassing. It was the result of punishable culpability by TJX.
Note what the FTC did not allege about TJX. The FTC did not allege TJX engaged in a "deceptive trade practice" in violation of Section 5(a) of the FTC Act. An example of deception is for an enterprise (like ChoicePoint) to tell individuals it will secure their data, and then fail to do so.
Further, the FTC did not allege TJX was utterly inattentive to security. The FTC essentially said TJX was unfair because it was not secure enough . . . not secure enough to defeat the sophisticated criminal organization that broke into it. And the FTC said the remedy for this unfairness is that TJX should implement security controls, more or less like the PCI-DSS (Payment Card Industry Data Security Standard). The implication: if a merchant follows the PCI, then it has achieved "fairness."
Compare what FTC just said to TJX, with what happened at retailer Hannaford. Hannaford announced that 4.2 million credit card numbers were stolen from it, but Hannaford says it was PCI compliant during the time in question! Apparently the hackers tapped fiber-optic cable that "security experts had believed was secure."
Further, Okemo Mountain Resort, a Vermont merchant, says it complied with PCI, but was still broken into. Pereira, "Credit Card Security Falters," WSJ, Apr 29, 08.
The Hannaford and Okemo experiences suggest PCI compliance is not enough to defeat the talented criminal gangs assaulting the credit card system today. In other words, compliance with controls like those FTC imposed on TJX is not enough to protect credit card data.
The reality may be that it is impractical for merchants to protect credit card data from the criminals who broke into TJX and Hannaford and Okemo. If that is true, then TJX did not engage in unfairness. It was a victim of criminals who are swiftly becoming more powerful.
In essence FTC said TJX was an unfair bad guy because it could not keep up with the hackers. But by that standard, is not the entire credit card system "unfair?" Instead of picking on particular players like TJX, why doesn't FTC investigate the credit card systems as a whole (Visa, Mastercard, American Express et al.) and probe whether credit cards are inherently "unfair" to consumers because criminals can defeat the systems? Why doesn't FTC require each of the systems to devise better designs and controls so consumers are no longer subjected to the "unfairness" of the systems as presently designed? (See this post on alternative ways to authenticate credit card users and transactions.)
My point is that TJX was not "unfair." It was unlucky. Its defenses were similar to that of many (most) of its peers at the time. They too would have fallen had they been subjected to the same criminal blitzkrieg. And during the time in question, the PCI was vague, reltively new and subject to wide interpretation and debate. (It still is.) The same is true for the controls FTC just imposed on TJX.
FTC is well-meaning here, but it is misdirected. By singling out TJX and chastising it with the "unfairness" "bad guy" rhetoric, FTC distracts the necessary public conversation. It implies that if we can just punish these lazy merchants enough (and force them to comply with PCI and similar controls), then credit cards will be safe. That"s wrong.
The criminal warfare directed at the credit card system is more powerful than the theory behind PCI. The whole credit card system needs to change. As a society we need to focus on beating the criminals, and stop flogging victims like TJX as unfair privacy infringers.
(I have posted more remarks on TJX and FTC.)
Update: I explain how August 2008 indictments of TJX hackers put FTC's treatment of TJX into perspective.
Update: Many of TJX's peers did, apparently, fall victim to the same blitzkrieg as TJX. Prosecutors say the gang that broke into TJX also broke into 8 other large retailers, though some of those retailers cannot confirm their defenses were breached. Pereira et al., "Some Stores Quiet Over Card Breach," WSJ, Aug 11, 08, B1.
Further Update: September 2008 prosecutors say the TJX hackers broke into "numerous other businesses" in addition to the 8 previously disclosed. Ross Kerber, "Hacker pleads guilty in breach," Boston Globe, Sept. 12, 2008. Therefore, TJX was not unusual; TJX was no weaker at the time in question than was standard and common in the retail industry. Query whether FTC will open investigations of all these other retailers and claim they were "unfair" also.
Update March 2009: Heartland Payment Systems maintains that an auditor confirmed it was PCI compliant a mere month before hackers broke into the company and stole credit card data. Visa investigated after-the-fact, and Visa has tried to say that Heatland was not PCI compliant. But PCI expert David Taylor observes that if the goal of an investigation is to determine that an organization is not in compliance, then the goal is easy to achieve. Perfect data security never exists in practice.