Wayner tells me his friends encouraged him to patent his idea, but he successfully resisted the urge, thinking that there was plenty of prior art in places like the classic Unix password hash. Conceptually, the idea is pretty simple: instead of allowing the vendor to store customer information and encrypt it while it passes over the Internet, let the client software encrypt in on the customer's side and store useless encrypted tokens in the central vendor database. Any attacker hitting a TJX in this scenario would get only gibberish instead of social security numbers.
This has certain downsides--the customer will lose his data if he forgets his password, and the vendor can't perform certain kinds of data mining--but it's impressive how much information a vendor can still get from manipulating the encrypted strings. For more information, check out Beautiful Security, Translucent Databases, and Wesabe.