Target shares came under pressure after the company announced a security breach that exposed up to 40 million card numbers to thieves between Thanksgiving and last Sunday.
The stolen data included customer names, card numbers, expiration dates and the Card Verification Value (CVV), a three-or-four digit code often used to verify a card's legitimacy.
These data are sometimes called "track data" within the industry. They are encoded in the magnetic stripe on the back of the card. The CVV acts as a "checksum" on the other numbers, allowing encrypted data to be read.These data are supposed to be scrubbed from systems as soon as a transaction is processed, according to rules set by large processors such as Visa (V), rules that are updated regularly. Because this leak did not affect the company's Web store, the hackers probably broke into a data line running from the stores to Target, from someone collecting transactions for Target to Target, or from Target to its own card processors. This is the biggest retail card breach since TJX Companies (TJX) lost an estimated $256 million after 45 million accounts were compromised in late 2006 through insecure WiFi and insecure storage of data. TJX stock weathered the 2007 breach well, something investors selling Target today might want to consider. The shares are up more than threefold since the breach was reported, and that includes a sharp fall during the Great Recession. Shares in other companies suffering breaches, including processors Heartland Payment Systems (HPY) and Global Payments (GPN), have also recovered from where they were when those incidents happened. Heartland recently hit an all-time high. Since card processing has been going on for decades, many of the systems being used are based on IBM (IBM) mainframes. Some use custom programming and languages such as Cobol that younger programmers may not know. The whole field is complicated, specialized and focused on meeting regulations that constantly raise the security bar. Another way to improve security is through so-called "chip and PIN" cards, which include a data-filled chip rather than a simple magnetic stripe. They are now being rolled out through cards often used for European travel, including the American Express (AXP) Platinum card.