The key lesson of the TJ Maxx, or TJX, security breach may be that it is impossible to prevent data crimes against the card system.
The ease of access to valuable consumer information, the considerable rewards for stealing it, the failure of law enforcement to prevent it, and the increasingly prohibitive cost of protecting it all militate against any easy solution.
It's no wonder. The card system is addicted to capturing every possible kind of information about consumers.
Creditors get it from applications, each other, transactions, credit reporting agencies, list companies, collection agencies, government dockets — from virtually any source that has it.
They trade it back and forth, store it in millions of places, mine and use it to sell products via receipts and bills that end up in the least secure place of all: the trash.
Because it is everywhere and always in flux, there is no way to protect it fully.
Despite these realities, the losses from merchant data theft have proven modest relative to the risk. It is like the lost/stolen card risk — a mix of negligence, crime, and expense.
The law and network policies deal with lost/stolen cards by forcing creditors to eat the losses. Congress essentially blamed them for the problem — for sugar-coating the risks of credit in their solicitations.
Who is to blame in the merchant-bank card standoff?
The fear of merchant breaches seems to be growing, as evidenced by the sharp reaction to the TJX incident. Critics are demanding action, even without tangible evidence that a substantial number of people have suffered consequences like identity theft, or will do so.
The anger expressed in banking and network circles about TJX has been accusatory toward merchants as a class for being lax in adopting card security measures. Message: They're at fault, not us.
We can guess what merchants are thinking. Most will say, "We're unblemished, so don't throw the book at us. Only a few bad apples are to blame, if any are at all."
Others will say, "It's your product and your system. You sold them to us and consumers as cheaper than cash and safer and more efficient than all other payment products. Your ever-increasing security requirements are too costly, threaten transaction efficiency, and could put many of us out of business. You're at fault, not us."
If the best the card industry can ever do is play catch-up with the criminals, the merchants might be right. Most of them — the millions of small stores that make up the majority — naturally will resist paying for solutions that experience has told them do not work.
Their burden, after all, is not just the complex hardware, software, alarm systems, surveillance equipment, or whatever else the card industry orders them to install. Of necessity, it includes hiring equipment experts, training employees, adjusting to new rules, handling more paperwork, consulting lawyers, submitting to audits, paying higher network fees, and planning for contingencies on a scale never seen before.
This is enough to stiffen merchants' backs for more confrontations with the card industry in courts and legislatures.
One may hope that the industry has learned from the interchange cases that litigation can go awry. Lawsuits invite discovery that can open a Pandora's Box for plaintiff or defendant.
In a case involving merchant data breaches or merchants' refusal to adopt security protections, a lawsuit could expose the same in the card industry.
Examples include excessive data capture, lax security controls, equipment deficiencies, data breaches, cover-ups, and perhaps a new antitrust front — industry players acting in concert to shift solutions from themselves to merchants.
If the industry pushes too far, dangerous lawsuits will ensue, especially if security mandates threaten the existence of large numbers of merchants.
This possibility raises the question I've posed many times in these pages: Should the card industry have a life and death power over another industry? It is the question that sank Visa and MasterCard in the Department of Justice, Wal-Mart, and government challenges around the world — the use and abuse of market power.
To avoid a reprise, the card industry should tone down its criticism of merchants and temper the litigation threat. Honesty, cooperation, and mutual sacrifice should guide the effort to solve the data theft problem.
The bank card and merchant industries must face the reality that perfect solutions are impossible, prohibitively costly solutions are unfair, and government solutions are the worst.
Most of all, they should look into the abyss and consider whether cards as a payment mechanism, and their obsessive reliance on consumer data, have passed their prime.
