I'm a Security Vendor, 1.5 years a go I made a sales call to TJX. We were not there to sell Intrusion Detection and Protection (IDP) solutions, but brought it up during our meeting as a solution we sell. IT security staff kept telling us they were "comfortable with the risk, and we have no budget this year" of not using IDP and other security solutions. They also mentioned they passed their PCI (payment card industry) audit.
It's always easy to say they should have fixed this or that, hindsite is always 2-/20, bottom line you made a slaes pitched and they did not buy your product which may or may not have helped, or maybe it's just no good. If you had such serious concerns you should have escalated this.
IF TJX is "well run" why did they need to hire IBM and General Dynamics?
"....Dear TJX customer, Even though we violated industry standards for security, we are a "well run" company and need do nothing to improve our "well run" IT and security systems. As a WELL RUN company, we feel this was a "fluke", purely coincidental, and will not happen again, because we are a WELL RUN company!....."
I know 4 peopel who are getting new credit cards and all have stated they will never shop there again.