Guess who's looking for a new PCI compliance officer? Here’s the least surprising job advertisement you’re likely to see: TJX Companies is in the market for an IT Compliance Officer. According to the posting, dated Jan. 5 on Careerbuilder, TJX is looking for an IT Compliance Auditor to help: “plan and execute compliance testing, controls assessment and documentation for Sarbanes-Oxley (SOX), Payment Card Industry (PCI), Data Privacy, and other compliance requirements as needed. Monitors compliance with information security policies and standards by conducting data privacy assessments, internal control reviews and risk assessments. Maintains a current knowledge of IT-related regulatory compliance requirements and standards.“I guess this helps answer one question that was lingering in my mind after news broke yesterday of The TJX Company’s whopping data breach, which was “What about PCI”? You know, the toothy new data security standards from the Payment Card Industry? Those standards, which have been in force for two years now require companies that accept credit card transactions to meet certain standards for securing those transactions, including tracking and monitoring all access to network resources and cardholder data, and testing security systems and processes. As a top tier retailer with thousands of stores, TJX should have had to publish Reports of Compliance (ROCs) with the various credit card companies that are part of PCI (Visa, American Express, MasterCard). In addition, as of Jan 1, TJX and other retailers needed to be in compliance with PCI 1.1, a newer and more comprehensive data security standard. In theory, failing to comply with PCI could get your right to accept credit card transactions revoked — a death blow to retailers like TJX. However, it’s not clear that card companies have ever taken that drastic step, especially with such a high profile merchant. In the meantime, the PCI Security Standards Council issued a statement on their Web page saying that the TJX breach reinforces the need for standards like …PCI! “Customer payment data is not just a payment brand issue but is the responsibility of all businesses that participate in the payment process.” Customers expect that merchants will comply with PCI, the group said. Of course, it might be helpful if credit card companies told US which retailers or etailers had met PCI’s standards. That information, like much else in the payments industry, seems to be “nonpublic.” Security