Target allows a massive credit card data breach

If you’ve used your credit card at Target since Black Friday, you’ll need to keep an eye on your credit card statement to make sure there aren’t any unauthorized purchases. Target announced earlier today that they’ve had a massive credit card data breach. According to Target, the breach happened to customers using their credit and debit cards in U.S. stores from November 27 to December 15, 2013. The data breached included customer name, credit or debit card number, the card’s expiration date, and the security code, the three or four digit code either on the back or the front of the card.

It doesn’t make sense that if there was a data breach involving U.S. stores why the security code would be compromised. The fact that it happened in the physical stores and not online, would indicate that the breach involved only swiped transactions. When a credit card is swiped, the card reader obtains information from track one and track two on the card’s magnetic strip. This information includes the cardholder’s name, the credit card number, and the expiration date. That’s it. Track one and track two data doesn’t contain the security code. This code only appears physically on the card, either on the back, or in the case of American Express, the front. Furthermore, the security code is only processed on mail order/telephone order (MOTO) or e-commerce transactions. It’s not processed on retail, face-to-face transactions.

The fact that Target is saying that security codes were also breached would indicate they really don’t know what’s going on, they don’t know how the breach happened, and they’re just making stuff up.

1 thought on “Target allows a massive credit card data breach”

  1. “Track one and track two data doesn’t contain the security code.”

    This is a common confusion. Both tracks contain what the standards call “discretionary data”. Most cards put what it confusingly called a CVV or CVC in that field. Yes, as you say, this is *not* the same as the “security code”, CVV, or CVC printed on the card. I’ve heard some refer to the printed code as CVV2, but I don’t believe this is technically correct either. But I’ve worked in payment processing of track data (card present) enough to know it’s there.

    In any case, I’ve heard the CVV on the track data can be used for off-line PIN verification, or offline “printed” security code verification. It’s undocumented, and the card issuers probably want to keep it that way.

    It almost certainly is used to detect cloned cards, since having only the “visible” data would prevent knowing what to put in that field on the card. Card-present processing rates are lower because having the track data with that CVV code proves the card was swiped. It’s something the cloner can’t know. This is why “skimming” is done, and this seems to be the ultimate skim operation.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top