But court documents filed by the banks that are suing TJX allege that the company wasn't compliant with nine of the mandated controls during the period when the intrusions were taking place. And TJX was by no means alone. In response to the slow adoption of the PCI controls, Visa threatened to start imposing hefty fines and higher transaction fees on merchants if they didn't become compliant by the end of last September.
Visa won't disclose whether it has fined any merchants since then, but there is ample anecdotal evidence that it has.
The card payment process has issues
The TJX breach exposed a fundamental rift, with banks and credit card companies on one side and merchants on the other. In several states, credit unions and smaller banks have lobbied the legislatures to pass new laws requiring retailers to reimburse them for the costs involved in notifying customers of breaches and reissuing cards.
But the lobbying attempts failed everywhere except in Minnesota, which last May approved the Plastic Card Security Act -- a law that holds breached entities financially responsible if they were storing prohibited card data on their systems.
In fighting the state bills, retailers have argued that the commissions they pay to card companies on each transaction are supposed to cover fraud-related costs, making any additional payments a double penalty. They also said that the only reason they store payment card data is because they're required to by the credit card companies. In October, the National Retail Federation (NRF) asked Visa and the other card companies to drop that requirement.
The NRF's request is echoed by Litan, who long has argued for fundamental changes in the card industry's payment process, via the introduction of measures such as one-time passwords and all PIN-based transactions.
The bad guys remain hard to catch
For all the attention paid to the breach by TJX, and all the hired forensics experts and law enforcement authorities on the case, the perpetrators thus far haven't been tracked down. Some individuals who allegedly used card numbers stolen in the breach have been arrested. But the hackers themselves have remained frustratingly out of reach, as is the case in most breaches.
"The crooks are still at it," Litan said. "They probably will strike again. They're laughing all the way to the bank."