[jrockway]

Target's card readers, last time I checked, suck in the whole card like some ATM machines. So they can easily OCR the card number and CVV2, and store that.

What always weirded me out about Target is that they used the credit card number (or name, or something on the card) as the key into their "loyalty program". If you bought some generic drug last time, this time their machine will print out a coupon for the name-brand version. This always weirded me out a little bit, though there is nothing preventing them from just storing a hash. Of course, the average developer never stores just a hash, and here we are.

[helper]

Why would you think that Target OCRs CVV2? They already have CVV1 (used for card in hand) read off the magstrap, so what would they want with CVV2? It would also be an insane violation of PCI rules.

[jrockway]

As far as I know, big companies can negotiate with the individual networks to do whatever they want with your credit card information, including storing the data in a non-PCI-compliant manner.

[callahad]

> Target's card readers, last time I checked, suck in the whole card like some ATM machines. So they can easily OCR the card number and CVV2, and store that.

At least in the Minneapolis store I shopped at during the breach, it was a simple swipe terminal.