According to a recent ComputerWorld article:
"New documents filed in a Boston federal court Thursday by banks suing The TJX Companies Inc. over its data breach claim that the Framingham, Mass.-based retailer had not complied with nine of the 12 security controls mandated by the Payment Card Industry (PCI) data security standards when the breach occurred."
Some of the reported problems:
"... a failure to properly configure its wireless network, a failure to segment networks carrying cardholder data from the rest of TJX's network and the storage of prohibited data. A forensics expert hired by the company to probe the incident, which exposed data on some 94 million accounts, also identified other deficiencies such as improper patching practices and a failure to maintain adequate logs."
If there's one thing I've learned, I now pay attention to news reports about data breaches at retail stores. If the retailer has a poor data security record, I won't shop there. Why? Simply, I can't trust them to protect my personal data. On the rare chance that I temporarily go insane and shop at a retailer with a spotty data security record, I'll pay for my purchases with cash.