[mtbcoder]

Skimming would imply that someone physically altered the self-checkout lanes to capture credit cards in the same way an ATM skimmer works. Since this was installed malware, it would mean access to Home Depot's network. I wouldn't be surprised to learn that credit card data was stored in plaintext somewhere in their system.

[jgillette]

I will say, one time a few years back I needed to get a receipt from a purchase more than 60 days old. I called the local store, and she said "just give me your credit card number and I can lookup your transactions". With just my card number she was able to see every transaction I made with that card (and find my purchase I needed the receipt for). So (at least 3-4 years ago) it was being stored somewhere searchable by people in the back office.

[HeyLaughingBoy]

Or at least a hash generated from it was stored.

[mrweasel]

But why would they store them and why would they have access to the card number?

The credit card processing is normally completely separate from the rest of the POS. The credit card "machine" communicates directly with the credit card processing company and just informs the POS that the transaction was completed.

You would need to break into the encrypted data sent from the credit card terminal to the processing company to get the card number.

Maybe I'm just completely ignorant about how this stuff works.

Target and Home Depot are doing something that they don't need to be doing to process payments, unless skimming is involved.

If skimming is involved: start moving to chip cards and drop the magnetic strip.