Some retailers said the credit card industry could bolster security by investing in biometrics technology to authenticate a consumer's identity, but Visa and MasterCard have resisted that path. Biometrics, which use a shopper's fingerprint to verify identity linked to a credit card account, is more secure than traditional signature- and PIN-based transactions because the unique pattern on a finger is more difficult to steal and forge than signatures and PIN numbers.
"Visa and MasterCard still have not done enough to protect consumers," said one chief information officer, who requested anonymity, but whose multibillion-dollar chain has been PCI-compliant two years, long before many companies.
"For example," he said, "why are Visa and MasterCard encouraging retailers to use signature-based debit versus PIN-based debit? A PIN-based transaction is more secure...but they make more money on a signature-based transaction" by charging retailers a higher fee for that type of transaction. In some cases, consumers pay a fee if they opt for PIN-based payment instead of signing their names.
However, many retailers operating on thin margins might resist measures that would require them to install additional equipment at every register because it would be too costly, said Russo.
One upside of the widely viewed "60 Minutes" program is increased awareness among executives holding the purse strings to fund security upgrades, said Cathy Hotka, principal of Cathy Hotka & Assoc. of Washington. "It's not like the story is new. It's getting a little long in the tooth but increased awareness is a good thing."
Another retail chief information officer who requested anonymity said, "A smart cio who has a difficult time convincing his chief executive to [invest in security] can take this segment, show it to him and that makes the ceo legally responsible. When the cio says, 'Look, we have an exposure,' it becomes a completely different issue."
Zeke Duge, a former retail chief information officer, said, "You can't get the bean counters to spend to do the right thing until the risk is insurmountable." He suggested that if any technology executive at TJX raised concerns about the vulnerability prior to the breach, that person is probably taking some heat now, because, if the risk exposure is documented, TJX can't claim ignorance, only that it took a calculated risk.