It was the big card heist of the season but despite hacking into 40 million credit/debit cards the thieves cannot hack the highly encrypted pin data according to the Target as reported in the L.A. Times this morning.
The PIN data is encrypted as it's entered by a customer at a keypad at checkout, protected with what's known as Triple DES encryption, according to Target. This stays within Target’s system and ‘remained encrypted when it was removed,’ the Minneapolis-based company said.
Consequently the encryption system provides Target with confidence on this issue of the attack.
The Pin data is not within the Target system. Only when the card data reaches its destination in the computer center to send money from the bank to the retailer is the encryption code released.
In order for the thieves to gain access to a pin data card swipe, it would require several successive rounds of trying to unscramble the numbers. This would be seemingly endless.
The hackers took the ‘trade data’ that routes through a server from the terminal machine and lands at the computer processing center. The card numbers then can be batched to the various credit card companies for billing and simultaneously the retailer can be paid with 48 hours more or less.
What all of this means for Target is ‘that the 'key' necessary to decrypt that data has never existed within Target's system and could not have been taken during this incident,’ the company said Friday.
A final word of assurance: ‘The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken,’ Target said.
Merchants will have access to the new encrypted credit/debit card terminal in the U.S. as Europe has enjoyed for years. The new EMV encrypted terminal is available and as soon as card companies and banks issue embedded cards, individuals can use these cards to process purchases provided a retailer has the machine. This will become part of normal business procedures in the U.S. by 2015 as the cards and machines are both available at the merchant’s place of business for customers.