On December 27, 2013, Forbes reported that encrypted PIN data had been stolen in a data breach that occurred between black Friday and December 15th at Target stores.  Specially, the data that was taken was from transactions associated with the check-out point-of-sale (POS) systems where debit cards are used by pay for purchase.

There are some important lessons about this event that are worth highlighting, but first we need a little background on the process of using and processing debit-card transactions.

Debit-card transactions require the customer to enter a PIN after they swipe their card at the point-of-sale.  This process differs from a credit card transaction where the customer signs the signature-capture pad after swiping their card.  From a payment perspective, a debit transaction results in a transfer of funds directly from the customer’s checking account whereas a credit-card transaction results is a “loan” of money from the credit card company to pay for the goods purchased.

Note that the debit cards provide a direct and immediate link to cash in a checking account.  Accordingly, anybody who has a debit card number and the associated PIN has access to all of the cash in the checking account that is linked to the debit card.  As such, debit card information is very appealing to hackers and thieves, especially if they can also obtain the PIN information associated with each card.  There is one other fact to consider – the PIN is not stored on the card (it is only known by the customer and the customer’s bank).

From a system security perspective, when the customer swipes their debit card at the point-of-sale (POS) and enters their PIN number, the PIN is actually encrypted on the device.  If you could put your x-ray glasses on, you would see that the PIN number remains encrypted throughout the POS system, through the store, through the merchant’s (Target’s) infrastructure, and is finally decrypted by the debit card processor.  The encryption key that is used to encrypt the data is unique to the debit terminal (and in most cases unique to the transaction) and is ONLY shared between the debit terminal and the debit processor (as is highlighted by the Target Update).


Three Lessons from the Target Hack of Encrypted PIN Data

Enough background already. What does this tell us?

1. Keep your encryption key separate from your encrypted data

The first lesson to take away is simply to keep your encryption key separate from your encrypted data. We know not to write our passwords on the bottom of our keyboard. We know not to put the combination of our safe on a sticky-note on the door to the safe, and we should never allow our encryption keys to be accessed in the same way as we access our data.

2. Encrypted data is absolutely worthless without the key

The second lesson is that encrypted data is absolutely worthless without the key. Presuming that you are using a vetted encryption algorithm (and that you did not build your own), encrypted data thwarts the incentive to steal the data. Simply put, the thief has gone to a lot of effort to steal the data, but once it is known or discovered to be encrypted, the economic value of that data is zilch! In fact, if the hacker knew the data was encrypted, they may have not attempted the breach and avoided the risk of being caught.

3. Encryption is simple and provides high value

The third lesson is that encryption is simple and provides high value. Those low-cost debit terminals at the point-of-sale are able to encrypt data using standards that prevent the data from being disclosed except by authorized individuals. A little forethought into the flow of data, a firm design on what data needs encryption, and a clear decision on who has access to the keys (separate from who can access the data), makes for a very strong data-protection architecture.

If the data was not encrypted and they keys were not separated from the encrypted data (following the rule of “dual-control and split-knowledge”), then Target would have had a much, much bigger problem on their hands (and customers would be out a lot of money).


The simple take-away from this event is that Target did things right. Hackers are finding new and innovative ways to penetrate our networks and collect data.  However, good security architectures provide layers of protection (as exemplified by the encryption of debit card PIN data) and nullify the economic value of any information that is stolen.

Lastly, Target is the real benefactor (along with its customers). Because of the breach, Target is now performing a forensic investigation and is taking corrective actions, and the would-be perpetrators have given up one more method for causing a breach.


More from Data Protection

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Data residency: What is it and why it is important?

3 min read - Data residency is a hot topic, especially for cloud data. The reason is multi-faceted, but the focus has been driven by the General Data Protection Regulation (GDPR), which governs information privacy in the European Union and the European Economic Area.The GDPR defines the requirement that users’ personal data and privacy be adequately protected by organizations that gather, process and store that data. After the GDPR rolled out, other countries such as Australia, Brazil, Canada, Japan, South Africa and the UAE…

Third-party breaches hit 90% of top global energy companies

3 min read - A new report from SecurityScorecard reveals a startling trend among the world’s top energy companies, with 90% suffering from data breaches through third parties over the last year. This statistic is particularly concerning given the crucial function these companies serve in everyday life.Their increased dependence on digital systems facilitates the increase in attacks on infrastructure networks. This sheds light on the need for these energy companies to adopt a proactive approach to securing their networks and customer information.2023 industry recap:…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today