Target credit card data breach: Facts, Resources and Risk Mitigation

The Target data breach, discovered December 15, impacts all credit and debit card transactions in the USA between Nov. 27 and Dec. 15. This article explores what happened, why it happened, what merchants can learn from the incident, and links to top stories.

On December 15, 2013, Target discovered malware on their USA point of sale (POS) system and disabled the malware code. The impact is over 40 million cards. Notably, the breach impacted in store only.

From Business Insider,  “As shoppers swiped or punched in their numbers on the checkout keypad, the hackers copied every single number.” Read More: The Incredibly Clever Way Thieves Stole 40 Million Credit Cards From 2,000 Target Stores In A ‘Black Friday’ Sting

Stolen was the track data from the magnetic stripe, and equivalent data from chip cards. According to Target: The CVV data which is encoded on the magnetic stripe was stolen. The CVV2,  the three or four digit value that is printed on the back or front of the card, was not. CVV2 data is never on magnetic strips for security so it would have to have been manually entered to be stolen. (From Target…”No indication that CVV2 data was compromised.”)

Also stolen were 4 digit encrypted pin debit codes. This data is encrypted on the POS device and is simply passed through to the processor in the encrypted state. From Target, “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”

Summary: thieves have enough information to clone credit cards for retail sales


The data quickly reached the black market with nefarious buyers taking advantage.


In my opinion, and others, it’s likely related to system architecture. The thieves were able to get full track data needed to clone cards and increasing risk of the data being used. Target uses a custom POS application which requires Payment Application Data Security Standards (PA-DSS) in addition to Payment Card Industry Data Security Standards (PCI DSS) Compliance.

From Security: Dark Reading, Target Breach Should Spur POS Security, PCI 3.0 Awareness: Lyne says he believes the Target breach points to poor architectural and business practices. “It is critical that organizations handling such data take steps to protect it — such large volumes of data should never be accessible by one user or process — and should be encrypted to segment the data and should be detected if an export of such size occurs,” Lyne says.

An alternative workflow encrypts data at the point of sale by a payment gateway, which then delivers to the payment processor. This segregates point of sale data from payment data, reducing the scope for PCI compliance, and removing the POS application from scope for PA DSS. The payment application sends non-sensitive information, such as authorization code, back to the POS.

One way to spot potentially vulnerable systems as a consumer is whether or not the POS shows the item name and amount on the signature capture pad. This is an indication that the POS may be driving the payment application. When payment and POS are segregated, the signature capture pad shows only payment information.


Solutions fall into two categories: processor gateways and third party gateways. Merchants may be reluctant to integrate a processor gateway because it locks them into a specific vendor and can be very disruptive to operations to make a change in the future. Third party gateways provide increased flexibility, but also add extra cost to each transaction.  Factors included in choosing a solution include: single vs multi-store, USA or international, payment types, consumer or business to business, future purchase methods – need to store credit card information for recurring billing, multi-channel, and others.

THE IMPACT OF EMVemv chip card smart cardTarget was an early adopter of EMV, (Europay, MasterCard & Visa),  an open-standard set of specifications for smart card payments and acceptance devices. Credit and debit cards contain a small computer chip; This makes it harder to steal data on the point of sale device and to clone cards.

EMV  vs magnetic strip cards:  Traditional magnetic stripes contain “static” data consisting of the Primary Account Number, expiration date and other information; the same information is passed to the card issuer for every transaction. This makes it easy to clone cards.

EMV uses dynamic authentication.  In EMV transactions using dynamic authentication, the data changes with every transaction, thus any captured information is effectively useless to thieves. The chip is nearly impossible to counterfeit.

In the US, with low EMV merchant acceptance capabilities, cards may be issued with both magnetic stripe and chip. This means that thieves can still clone cards that contained a chip if the consumer uses the magnetic stripe in the transaction.


Without CVV2 data, using the card data for online transactions is unlikely because most ecommerce merchants verify that data. Retailers will be most at risk for cloned cards.

5 tips to prevent losses linked to cloned cards from Target or any other data breach:

  1. By card association rules, merchants can ask for identification, but they cannot deny a transaction if the cardholder will not provide it.
  2. Checking the zip code at the POS, where allowed by state law. *  The average thief doesn’t have this information and wouldn’t take the time to memorize it anyway. An intelligent system will decline the transaction if the zip code doesn’t match.  This may be inconvenient, especially in a fast paced environment. Some solutions allow merchants to validate the zip code only if over a certain dollar amount, reducing checkout burden while increasing risk management.
  3. Train cashiers to look at the cards for proper holograms and logos.
  4. Train cashiers to verify signatures.
  5. Require cashier to verify the last 4 digits at the POS.*  With cloned cards, the front of the card often does not match the magnetic stripe data. This is a highly successful fraud prevention tool to implement with minimal effort.

* Contact your processor to turn the zip code or last 4 digits flag on, or modify the payment gateway settings, whichever is appropriate.


Kreb’s on Security:  Who’s Selling Credit Cards from Target?

Wall Street Journal: Target’s Data-Breach Timeline Target’s web site for an inside view. Includes Target’s corporate web site. Everything consumers need to know. (Author note: Target advises monitoring for fraud.  I advised my daughter to request an immediate debit card replacement.


3D Merchant Services Powered by CenPOS
2633 NE 26th Ave Metro South FloridaFL33064 USA 
 • 954-942-0483

Why Government Agencies Are High Risk For Failing PCI Compliance

Why is it that government agencies are the last to get on board with cleaning up PCI Compliance risky practices? The credit card authorization form is prevalent at local, state, and federal agencies. Problems persist across all agencies from district attorney to healthcare.  What am I picking on? The print and then ‘fax or mail’ credit card authorization form with card security code which is never, ever supposed to be stored.

It’s possible that forms are being scanned after data is input, and sensitive data is masked, but it’s improbable for many government organizations because they simply do not have the resources.

Here’s 4 potential problems with this practice:

    1. The person handling the form can snap a picture with a cell phone.
    2. The form is received on a digital fax. Who can retrieve it? Is there a policy in place for destruction of the hard drive data, and is it actually followed? Are forms downloaded to individual hard drives, creating a whole new series of PCI Compliance concerns, and broadening the scope.
    3. The form may be sent to a local office instead of a lockbox. From the moment that form hits the mail, all the people that touch it are risk points.
    4. Stored payment data on computers. This practice continues to be widespread until there is a breach. On October 10, 2012, the U.S. Secret Service detected a security breach at the S.C. Department of Revenue, but it took state officials 10 days to close the attacker’s access and another six days to inform the public that 3.6 million Social Security numbers had been compromised. The attack also exposed 387,000 credit and debit card numbers. I’m not in the business of securing social security numbers so I can’t respond to that, but why the heck was there full card data to expose?
    5. Every time a human has access to card data, mail, or faxes, there is opportunity for theft.

All images shown were obtained today via publicly available information.

CREDIT CARD AUTHORIZATION FORM: Florida Health, Charlotte County.

This poorly designed form captures the security code in the middle of the page and also requires a drivers license. Card brands prohibit the last practice as being required to accept cards.


credit authorization form-florida charlotte county

CREDIT CARD AUTHORIZATION FORM: United States District Court District of Kansas

This form captures the security code in the middle of the page and says that it will be stored,  a violation of card acceptance and PCI Compliance rules.  Additionally, the only way another person can be authorized to use a card is if there is a power of attorney on file,  so the form may be misleading. It is possible to have multiple cards with the same number on an account, however, each card is issued to a different cardholder name.

credit card auth form kansas

CREDIT CARD AUTHORIZATION FORM: Arizona Department of Health

This form captures the security code in the middle of the page. If it’s stored,  it’s a violation of card acceptance and PCI Compliance rules. It offers a mail option to the local government office instead of a lockbox, a  riskier practice.


CREDIT CARD AUTHORIZATION FORM: City of Laredo Health Department

This form has a clear policy that the sensitive payment information will be shredded. Hurray!
I recommend adding a field for the card brand and last 4 digits, that won’t be shredded.


credit card authrozation form AZ Dept of health

CREDIT CARD AUTHORIZATION FORM: Chatham County Public Health Department

This form has a clear policy that the sensitive payment information will be shredded. Hurray! I recommend adding a field for the card brand that won’t be shredded. The form appears to allow reuse for recurring billing since the amount is not specific, though it is not specifically stated as required by the card brands. Why isn’t the total amount known if this is for a one time transaction? If stored, I wonder where the card data will be stored once the form is destroyed? credit card authorization form chatham public health



This last form is from our technology for recurring billing authorizations. The customer can enter the payment information on a secure hosted pay page, or it can be key-entered or swiped. The custom personalized form is autuomatically generated when a new card is stored. The form is signed and both the customer and the merchant have the token ID to use for billing future charges. With the email address, the cardholder automatically gets a receipt whenever a transaction is processed.

recurring billing authorization form cenpos

By accepting payments online, merchants can reduce PCI Compliance burden. What did you think of this article? Please leave your comments.

Will insurance cover data breach of credit card information? Whether or not PCI Compliant?

The typical business general liability insurance policy provides ZERO insurance coverage. A special policy referred to as Cyber Liability Insurance includes a section called Network Security coverage that protects you for both first-party and third party liabilities arising from a data breach event. In order to get the special insurance, a merchant must be PCI DSS Compliant at the time the policy is written, and attest to compliance on the insurance application.

Cyber Liability is a generic term for an insurance policy and possible coverages include identity theft from computer network data and paper files.


  • Merchant doesn’t know what PCI compliance means (Payment Card Industry Data Security Standards)
  • Merchant cannot provide a copy of written policy for actively monitoring PCI compliance- and record of doing so.
  • Merchant statements contain “non-PCI Compliance validation fee”.

What if the PCI Compliance status changes during the term of the policy? This is a grey area and likely many factors will influence a decision to pay out, including how egregious the issue was that caused the breach as well as the business efforts to maintain compliance.

If a business qualifies for a discount because they have a building alarm, but then post the alarm code next to the door for everyone to see,  would the carrier be happy paying a theft claim? If a business was PCI compliant but then started accepting credit card sales via fax and stored all the forms in a file folder on someone’s desk where other employees or cleaning personnel have access to, do you think the insurance carrier might have an issue with this? What if the business made every effort to meet PCI compliance, but a key senior employee goes rogue?

Businesses can mitigate the risk of losses by data breach by outsourcing the responsibility, using third party payment processing technology, and by purchasing Cyber Liability Insurance.

Thanks to Steven Breitbart, of Cypress Insurance Fort Lauderdale, for contributing to this article.

Invoice Factoring Alternatives

Although leveraging Accounts Receivable Management to increase capital for cash flow can be very effective, merchants can often reduce invoice factoring needs by improving accounts receivable collections. The two most common collection invoice delivery methods are paper mailed invoices and email invoices or e-invoices. Adding an online pay page or using Electronic Bill Presentment & Payment (EBPP) can dramatically improve cash flow.

The Case For Online Payments

At a minimum, a hosted pay page enables customers to pay 24/7, while also reducing Payment Card Industry Data Security Standards , or PCI DSS, compliance burden.  If  most of your customers pay by check, and protecting margins with check payment is preferred, simply email the link to delinquent accounts. This is a proven method to boost cash flow. Example: a law firm added a pay page and collected a single $11,000 + payment the same day a client was given the creit card payment online payments hosted pay page

The Case For Electronic Bill Presentment & Payment (EBPP)

With EBPP, invoices are delivered via email, SMS ( text message) or fax. The primary difference between e invoice and EBPP is the link tp pay the invoice delivered online. Delivering electronic invoices is easy for any business to business company to gain customer acceptance, if for no other reason than environmental impact. From a business perspective, it’s clear float is reduced with e-billing vs postal from 2-10 days to immediate. Some might argue customers will always pay the last due date, and that’s true, some will , however, this is also true:

  • It’s proven some invoices will get paid immediately. Benefit: 30 days vs same day.
  • Some customers will pay on time. Benefit: reduces late payments.
  • Some slow payers will payer quicker to stop automatic reminders to pay. Benefit: paper, printing, and postage fees; staff time

The Case For CenPOS Online Payments & EBPP

CenPOS is a universal payment processing solution that works with your existing finance partners to streamline the payment experience for customers and merchants. In short, here’s why CenPOS is better than another similar solutions:

  • Cost: more value for a lower cost, no long term contracts or heavy upfront costs
  • Simplicity: Go live almost instantly.
  • Efficiency:  The platform is built with many, many time saving features for both merchants and customers. For example, the ability to securely store credit card and checking account information by either party saves tons of time on future payments.
  • Innovation: CenPOS is flexible, and continually innovating. With one hub for transactions, reporting, administration, reconciliation, there are no comparable competitors with the depth of solutions nor merchant value added benefits. For example, CenPOS EBPP has tools to automate steering to lower cost methods of payment, and all payment sources utilize an intelligent system that can reduce  credit card processing fees- with any compatible merchant account.

If the dynamics of when invoices are paid changed, how will it impact factoring needs? Try any of our payment accelerator solutions for an extended free trial with the mention of this blog article. Merchants and factoring companies contact Christine Speedy, CenPOS Global Sales/ Channel Sales (954) 942-0483.


Electronic bill presentment and payment improves PCI Compliance

Electronic bill presentment and payment, or EBPP, improves PCI Compliance by removing employees from having access to credit card information. Instead of credit card numbers on fax forms or employees accepting payment information over the phone, simply send an e-invoice which the customer can click to pay.

The image below shows the landing page after a customer clicks the text message or email link to pay.

electronic bill presentment and payment

Better than electronic invoicing, our solution enables customers to make payments right from the email. Why is this important? By delivering the invoice and the ability to pay without logging in, you’ll dramatically reduce time from invoice to payment collection.

EBPP sales sheet (PDF)

Our EBPP is fast, easy to use, and requires no capital investment to implement. For sales call Christine at 954-942-0483 or click here for more information.