Consumer Electronics Daily was a Warren News publication.
Accounts ‘Not Compromised’

Debit PINs Were Lifted in Breach, But Codes Are Safe, Target Now Says

December 30, 2013 by Rebecca Day|Top News

Target said Friday in an update on the security breach that affected some 40 million credit and debit cards used in stores Nov. 27-Dec. 15 that PIN data from debit cards was included in the breach. Initially the company said compromised data included only cardholders’ names, CVV (card verification value) on credit cards, account numbers and expiration dates (CED Dec 20 p4).

The retailer said in its update, its fourth since the breach was announced Dec. 19, that PIN information had also been taken. Target discovered through “additional forensics work” that “strongly encrypted PIN data was removed,” but “we remain confident that PIN numbers are safe and secure,” it said. The retailer said PIN information was “fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”

Target said when a customer uses a debit card in its store and enters a PIN, the PIN is encrypted at the keypad using Triple DES encryption, a “highly secure encryption standard used broadly throughout the U.S.” Target said it doesn’t have access to, and doesn’t store, encryption keys in its system. While PIN data is encrypted within Target’s computer system, it can “only be decrypted when it is received by our external, independent payment processor.” The key required to decrypt the data “has never existed within Target’s system and could not have been taken during this incident,” it said. The primary takeaway for Target customers is that “their debit card accounts have not been compromised due to the encrypted PIN numbers being taken,” it said.

Meanwhile, Target set up a designated section on its website billed as “response & resources related to Target’s credit card breach.” The site -- Target.com/paymentcardresponse -- is intended to help customers “feel confident that what you are hearing from Target is really from us,” it said. The site includes PDFs of all official communications that Target has sent relating to the issue, it said. The company said it understands additional scams could be “perpertrated” [sic] against Target customers resulting from the breach. It provides on the page all news releases related to the breach, emails to REDcard holders and links to an FTC page on credit card identity theft along with links to credit agencies and how consumers can get a free copy of a credit report.

In an FAQ section, Target reassured customers affected by the breach that they have “zero liability for any charges that you didn’t make” and said Target will offer free credit monitoring to everyone affected. It also told customers that Social Security numbers were not compromised in the breach. It warned customers to be wary of phone or email scams arising from the incident offering protection but that “are really trying to get personal information from you.”

On its Facebook page Thursday, Target told customers it’s continuing to improve call center wait times and has “tripled our call center support.” It told REDcard holders they can visit the dedicated REDcard section to find answers to questions. Though that site was down last week when traffic overwhelmed the site it is now accessible, we found.