

Target confirms PIN data was stolen in breach - ibsathish
http://money.cnn.com/2013/12/27/technology/target-pin/index.html

======
lvh
Article suggests that only a third party payment processor holds the key, yet
also claims that the encryption algorithm is Triple DES. Either whatever's
doing the encryption _also_ has the key, or there's a random symmetric key for
each entry that's encrypted using the payment processor's public key in some
extra scheme that isn't explained in the article. That would explain why
they're talking about a "decryption" key as a separate thing. (In the latter
case, the thing doing the encryption technically also has the key; that's hard
to avoid with a symmetric algorithm such as 3DES; but one would hope that the
system doing the encryption would forget about that key ASAP :))

From what I understand, PCI mandates that at least the terminals all have
their own (re-used) encryption keys; but that wouldn't fit with their story
that the "key never existed within their systems"; unless that's them being a
bunch of weasels due to a technicality (perhaps they themselves do not
actually own the terminals?)

Is there a source with more technical details available?

~~~
natekh
That was exactly my thought: you can't say "triple-DES encryption" and "we
don't have the key." Saying that they delete it afterwords gives little
comfort, especially considering that their infrastructure has been
compromised.

------
skywhopper
"Target ... said the PINs are 'strongly encrypted'"

Take this with a huge grain of salt. White hat analysis of the hacked Adobe
database shows that "strong encryption" is only a very small piece of the
puzzle for securely storing sensitive data.

