Reuters is reporting that the recent credit card breach of over 40 million Target customers included personal identification numbers, also known as PINs. If this is true, that would mean thieves would be able to produce fake credit cards that they could than use at ATMs to withdraw cash advances from people’s cards. Molly Snyder, a spokesperson for Target, said that no PIN data was compromised.
I believe her.
I just don’t see how PINs could have been compromised. According to the initial reports, the data breach included only swiped transactions, not transactions done online. This would indicate that the only information breached was information contained on track 1 and track 2 of the magnetic strip on the back of the card. The PIN isn’t on the magnetic strip. In fact, putting the PIN on the magnetic strip would defeat the whole purpose of assigning a PIN to a card.
A PIN is only used when someone goes to an ATM or a bank teller and takes a cash advance on their credit card. This can’t be done at the retail level. It’s why stores such as Target don’t even give you the option of getting cash back when you pay with a credit card like they do when you pay with a PIN based debit card. Cash advances are at a much higher interest rate then purchases and in most cases, there is no grace period. Interest begins to accrue at the time of the cash advance.
The other day I did some testing on my own credit cards to see what data is on the magnetic strip. I tested three cards, two Visa cards and a Mastercard, and read track 1 and track 2 with a MagTek reader. Track 1 contained the card’s account number, my name, the expiration date, a 3-digit service code that has to do with what type of transactions are allowed, and discretionary data, information used solely by the issuer of the card. Track 2 contained the same information as track 1, except it didn’t include my name.
I read on Wikipedia that discretionary data may contain the CVV2 or the CVV security code, but none of my cards had this.