Full analysis of the Target data breach can be found on Krebs on Security. Brian Krebs has thoroughly researched this and other major security breaches, and provides clear and honest reporting.

Target, like several other retailers, allowed attackers to steal credit card track data and PINs. This was a simple IT security breach. Attackers were able to gain access to Target's infrastructure, and thereby install malware that stole payment information. Credit card data, at least in the United States, is not typically encrypted. It is encoded in the clear on magnetic strips, and it is often only encrypted for transport. Transport layer security, while important, cannot be the only form of security. We need to encrypt and sign documents at rest to ensure both privacy and authenticity. Target is a great illustration of the problem.

Track Data

A credit card in the United States has a magnetic strip which encodes a few characters of data. On this strip are encoded the card number, card holder's name, and expiration date. These data also appear on the front of the card. The data on the strip also includes a number not printed on the card. This is the first Card Verification Value, or CVV1. The sequence of characters containing all of this information is called the "track data".

The number printed on the back of the card is the second Card Verification Value, or CVV2. Vendors typically ask for CVV2 when they accept credit card payment online or over the phone. But when a card is swiped at a card reader, then CVV2 is not required. The card reader collects CVV1. Payment processors determine whether the card was physically present based on whether the CVV1 or CVV2 was provided with the payment request.

Track data is not encrypted. The card number, card holder name, expiration date, and CVV1 are all encoded magnetically in plain text. But even if the data were encrypted, it would provide no security. Either the decryption key would also be provided, or the vendor would simply use pass the encrypted blob as an opaque identifier to the payment processor. Either way, the track data could be used again and again to process arbitrary transactions. It is encoded as an unchanging constant on the card, and does not depend upon the transaction in any way.


Some payment transactions with cards require the holder to enter a PIN. Typically, these are debit card transactions; credit cards often require a physical signature to be captured instead of a PIN. In many cases, the PIN for debit card transactions is also valid for ATM cash transactions. The card reader captures both the track data and the PIN, and presents this information to the point of sale terminal. Again, the PIN is not encrypted, because encryption would provide little value.

The Target attackers gained access to the point of sale terminals and installed malware that would copy the track data and PIN to a file in a shared folder. They then logged into the POS remotely and copied the file to a file sharing site. From there, they could anonymously access the information, and sell track data and PINs to other criminals. With this information, a criminal could easily reproduce a physical card with the same track data as the original. They could use these physical cards at other vendors, or to withdraw cash from ATMs.