"The software being used to process payments at many companies is highly exposed, and there needs to be an additional standard out there that requires data to be released after a certain amount of time on the register," said Litan. "And getting in through a wireless server isn't uncommon either, it's usually the easiest point of contact, and its not encrypted, the passwords are defaults, and people can get in and find their way around the network; that seems to be the modus operandi for many of these types of attacks."
Other experts agreed that unprotected wireless networks and aging payment card systems serve as a potent recipe for data theft from large retailers.
Andrew Jaquith, an analyst with The Yankee Group, said that many large retailers have wireless systems in place for use by in-store personnel that are relatively unprotected yet connected to the firms' wider corporate networks. Locking down those systems is a relatively simple process, he said, but protecting data on payment card systems is not.
"In general companies have had a hard time figuring out how to protect customer information, even after the emergence of PCI," Jaquith said. "When people were designing these things a few years ago, in many cases, they made design and implementation decisions that have combined to create opportunities for exposure; they weren't thinking about where to store and protect the most sensitive information, such as credit card data."
Many companies are in the process of replacing their payment processing systems to get closer to compliance with PCI, but the transition moves slowly based on the complexity and expense of the technologies, the analyst said.
"To be fair, the guidance for PCI has gotten a lot better over last couple of years, but if you roll back clock a few years, there wasn't a lot of guidance from the card consortiums to the merchants about how to handle sensitive data," said Jaquith. "Some companies did the best job they could, some punted and focused on other areas of security, and many built systems in a random fashion; this isn't a problem that will be solved by anyone overnight."
The silver lining of disastrous data incidents such as the TJX breach is that they may serve to motivate many firms that are lagging in their plans to upgrade payment card systems security, experts said.
"Incidents like the one experienced by TJX provide the best argument for not holding onto large amounts of sensitive information, but there's no evidence yet that these events have pushed other companies to improve their own data security efforts," said Lillie Coney, associate director with the Electronic Privacy Information Center in Washington, DC.
Making a case for how a data breach could affect a company's bottom line should be simple, but many business leaders are unwilling to dip into their coffers for new IT defense systems, she said.
"If you consider the problem in terms of risk analysis and the potential cost of an incident that exposes sensitive information, including the damage to a company's reputation, it shouldn't be a hard case to make," Coney said. "But getting companies to think like that is still a challenge as the IT workers don't have a way to position the issue from a bottom-line standpoint; eventually someone will make a case for liability with one of these breaches, and that's when people will really get it."