were compromised. This has happened before (e.g. Michael's Arts & Crafts and Hancock Fabrics stores) and involves swapping out the existing terminals for modified terminals to which the criminals have added additional electronic components. This is presently the only way to gather unencrypted PINs.
The Target compromise involves the compromise of a server receiving and forwarding card data. Any PINs in transit were encrypted before actually leaving the merchant terminal.
It's unlikely that the encryption on the PINs has been cracked. If it had, then massive numbers of PIN transactions (e.g. ATM withdrawals) would by now have been made using the compromised cards. Criminals know that there is a clock ticking for each card they steal, and they typically try and cash out as much and as quickly as possible before the cards are blocked. So far the fraud associated with the compromise appears to be POS (i.e. "point of sale" = non-PIN) transactions.
A key issue to understand is whether the card data was being stored long-term. According to VISA rules, card data is to be stored only so long as to complete the transaction at hand. Years ago Office Max got hit with this type of compromise and it was determined that they were keeping card data for marketing analysis, in violation of VISA rules. The Payment Card Industry Data Security Standard is an attempt by the credit card companies to self-regulate the industry, and it obviously hasn't been entirely successful.
If the resulting fraud is POS purchases, rather than PIN transactions, then Federal Regulation Z allows the cardholder's bank to dispute the fraudulent transactions and charge them back to the originating merchant. Given the expense of mitigation for this incident, it seems likely that Target may face legal action from both affected financial institutions as well as merchants facing large losses.
= new reply since forum marked as read