Last year's 600,000 debit card breach in the US revealed that hackers had easily obtained the cards' magnetic strips, Pins and encryption keys.

Current rules governing the security of transactions require that retailers immediately erase and/or encrypt transaction data at the point of sale when the transaction has been completed.

However, some point of sale devices are retaining the data within maintenance and troubleshooting software called 'trace utilities'. Worse yet, the keys used to encrypt the Pin are also being stored.

It is therefore relatively simple for the hacker to grab the file from the maintenance and troubleshooting software and use the encryption key to reveal the underlying Pin. The theft did not require physical access to the point of sale devices.

A researcher from Gartner has suggested that, in this particular case, it is likely that the hackers simply plucked the Pins out of thin air using a laptop computer while parked outside the retailer.

As has been typical in recent data breaches it was not a single weakness but a combination that made the Pin theft possible.

• The maintenance and troubleshooting software that stored the data was never intended to be used in a production environment.

• The encryption key used to immediately encrypt the Pin after it is entered in to the keypad was stored along with the encrypted Pin.

• The transmission of the data over a wireless network carries the inherent risk that the data can be captured and ultimately revealed in clear text.

The use of Pins to replace signatures in card transactions is now mandatory in the UK. Hopefully the news of the Pin theft in the US will be a wakeup call to ensure that the underlying technologies and methodologies do not offer cyber-criminals the same opportunities.