Last Friday Target issued an update acknowledging that encrypted PIN data were included in the data stolen in their recent breach. This quickly became a hot news segment and the social media was abuzz with renewed criticism of the retailer.
Though the data technically was stolen, and I applaud Target for publicly announcing it, this news is not really surprising. In actuality the PIN data presents almost no additional risk to Target’s customers. In order to better explain why this is not a significant issue, I need to explain a bit about how PIN pads and debit transactions work. (PCI refers to them as PIN-Entry Devices, PIN pad is the colloquial term.)
First off, each payment processor (in this case First Data) has their own encryption key that is used to encrypt all PIN traffic. This key is highly protected and only issued to a small number of companies that provide PIN pad encryption services. When a merchant such as Target purchases a new PIN pad, the key must be programmed into the device by one of these companies. Often these businesses are also PIN pad resellers so the merchant will purchase them directly with the key installed. But in other cases the merchant may buy direct from the manufacturer and then ship the PIN pads off for injection of the key.
Once the merchant receives the device, and begins using it, the PIN data sent from it is encrypted with the industry standard Triple DES algorithm. Though that data passes through the point-of-sale (POS) system, and the merchant’s network, it is never unencrypted. Only the payment processor on the other end of the transaction has the ability to decrypt the PIN data. In contrast, the actual card data (card number, expiration date, user’s name, security codes, etc) is passed in the clear to the POS system so that it can be processed as necessary.
What Target has acknowledged is that whoever breached their network, captured traffic as it flowed through. And by necessity that traffic included the encrypted PIN data. Does that make their breach more egregious? Not at all. It just means that they accepted debit transactions. But it does tell us that the perpetrators were sniffing traffic on the network, something that wasn’t previously disclosed.
A number of people on Twitter have also pointed out that the PCI DSS does not allow merchants to store PIN data. However a closer reading of the Target announcement does not suggest that they stored the data in any form, only that it was stolen. Based on the details provided, it does not appear that Target is guilty of any further malfeasance.
Nathan Sweaney is a Senior Security Consult for Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.