In January of this year (2007), TJX, the parent company of TJ-Maxx and some other retail companies, fessed-up and admitted that they had a data breach.
I can only guess that TJX weighed the pros and cons of going public and determined that it was in the company’s best interest to come clean rather than have someone find out about the breach down the road, so they announced the gaffe publicly. I’m sure their legal department was heavily involved in all the weighing that must’ve gone on.
Alltogether, some 50 million (45.6 to be somewhat more precise) credit cards were compromised (i.e. their numbers, expiration date, and names stolen). Statistically, it’s almost certain that there isn’t a single person in the US who doesn’t know at least one other person who was affected by this particular breach. That’s how bad it was.
As someone who works closely with retail, I see little reason to keep credit card information around, be that on paper, floppy disks, or secured databases. Furthermore, I see almsot no value gained from this practice.
It’s not a matter of whether the data will be compromised or not, but when. And when it happens, with today’s massive databases, it’s not a dozen cardholders that will be affected, but several thousands (or at worse, like in the TJX case, a good quarter of the adult population of the United States, if not more). To put it more in perspective, if I were writing about a disease affecting this many people, I’d be using words like “epidemic”, “break-out”, “centers for disease control”, “siege”, “curfew”, and “national guard”. Yes, just like in the movie.
I can think of only two reasons not to discard credit card information once the transaction it belongs to is over and done with:
1. Not to have to ask customers for their credit cards when they come to return merchandise.
2. To track a purchasing pattern by uniquely identifying customers using their credit card numbers.
As a customer, I see little to no advantage in #1 if it means that my credit card information is stored somewhere; especially because I have no control over how those magical 16 digits are safeguarded. I will choose the hassle of having to show my credit card a hundred times over having to deal just once with the hassle of a single card stolen.
In the case of TJX, I later found out, they were keeping these credit card numbers because they were connected to refunds issued to customers who didn’t have an original receipt. Yes, someone, somewhere in the company was planning to investigate these 45.6 million transactions SOMETIME.
Attention all shoppers: you don’t need a receipt to return merchandise at TJX stores (TJ-Maxx, Marshalls, and Bob’s Stores); just tell the cashier that you purchased it 2 weeks ago using cash.
There’s a third reason for keeping credit card numbers around: that the retailer’s computer systems where set up this way eons ago and those in charge have had their heads buried in the sand for the past 10 years and have never been victimized by identity theft.