Re:Why are pins stored? (Score 2)

I know for a fact that one of the items on the PCI list for CC transactions is 'no storage of CVV data.' If Target was indeed storing the PIN numbers, I feel like they have some real 'splainin to do about that one. However, based on the fact that they're obsessive about data mining, I wouldn't put it past them. "Why do we need to keep the PIN numbers?" "I dunno, but we can." "Okay, let's do it."

However, if the data was stolen 'in flight' as EvilSS suggests and it *is* encrypted (and based on the prevarication in which Target has engaged, I wouldn't hold my breath), it does kind of help narrow down the mechanism of the breach. It basically means they didn't crack the individual POS terminals, but some point in between the terminal and the bank. But, as I sit here and think about this, why would the POS terminals encrypt the PIN but not the CC number? This is where my lack of knowledge of the arcane world of computerized banking (and having worked in it for a brief time, I know it's full of WTF) prevents me from making any more guesses. Perhaps it's required by standard that the PIN be encrypted leaving the POS terminal. Perhaps the intercept point was between the Target and the bank, and target was sending the PINs as a hash.

Exactly how hard would be to run a attack against, say, 40 million salted hashes if you knew each of the pre-hashed values was four digit code from 0000-9999?

But the more I think about this...this means that each of the CC transactions individually leave the POS terminal, get routed through some branch office infrastructure then back to Target HQ, then onto the banking network. Way too much speculation on my part, but I'm hellishly curious to find out what actually happened.