TJX Agrees to Security Pilot Programs and to push End to End Encryption

There were some interesting terms agreed to by TJX in the TJX/State Settlement. First, TJX agrees to participate in pilot programs for new payment security technology, such as chip and pin, if asked to do so by MasterCard or Visa within 2 years of the date of the agreement. After two years, I guess they can say no.

Second, they agreed to take steps within the next 180 days to encourage the development of end to end encryption including seeking the cooperation of their acquiring bank.

The text of these section appears below. A copy of the entire agreement can be found at: http://storefrontbacktalk.com/story/TJX%20Agreement.pdf

The Attorneys General and TJX believe that the security of Cardholder Information collected in connection with retail transactions is an important priority. Protecting Cardholder Information is a dynamic challenge, because as security technologies available to retailers evolve, criminals attempt to develop more sophisticated ways of trying to circumvent such technologies. The Attorneys General and TJX therefore agree that possible improvements within the payment card system could aid the protection of consumers. To further that goal, TJX agrees as follows:

A. Pilot Programs. TJX will notify Visa and MasterCard in the United States and its acquiring bank(s) in the United States, simultaneous with the execution of this Assurance, that TJX desires to participate in pilot programs for testing new security-related payment card technology, such as the chip-and-PIN technology that is used in many other countries. TJX will participate in such program(s), if invited to do so, within two (2) years following the Effective Date of this Assurance, provided that any new security-related payment card technology and the terms and conditions of such participation are considered in good faith by TJX to be feasible and reasonable.

B. New Encryption Technologies. TJX will take steps over the one hundred eighty (180) days following the Effective Date of this Assurance, to encourage the development of new technologies within the Payment Card Industry to encrypt Cardholder Information during some or all of the bank authorization process with a goal of achieving "end-to-end" encryption of Cardholder Information (i.e, from PIN pad to acquiring ban). Such methods may include but are not limited to encouraging the development of new technologies and seeking the cooperation of TJX's acquiring bank(s) in the United States and other appropriate third parties. TJX will provide the Attorneys General, within one hundred eighty (180) days following the Effective Date, with a report specifying its progress in this effort.