Article suggests that only a third party payment processor holds the key, yet also claims that the encryption algorithm is Triple DES. Either whatever's doing the encryption <i>also</i> has the key, or there's a random symmetric key for each entry that's encrypted using the payment processor's public key in some extra scheme that isn't explained in the article. That would explain why they're talking about a "decryption" key as a separate thing. (In the latter case, the thing doing the encryption technically also has the key; that's hard to avoid with a symmetric algorithm such as 3DES; but one would hope that the system doing the encryption would forget about that key ASAP :))<p>From what I understand, PCI mandates that at least the terminals all have their own (re-used) encryption keys; but that wouldn't fit with their story that the "key never existed within their systems"; unless that's them being a bunch of weasels due to a technicality (perhaps they themselves do not actually own the terminals?)<p>Is there a source with more technical details available?
"Target ... said the PINs are 'strongly encrypted'"<p>Take this with a huge grain of salt. White hat analysis of the hacked Adobe database shows that "strong encryption" is only a very small piece of the puzzle for securely storing sensitive data.