Lets Try Some Facts.....
"..."The fact that three-digit CVV security codes were compromised shows they were being stored..."
I'm not sure why data storage is even mentioned in the story, much less the encryption piece. The fact that the breech is limited to a 3-4 week window of time would clearly indicate that the card data was stolen at the time of purchase, NOT stolen from a database. Thus, lodging the claim that Target was doing a "no-no" by storing ccv data, is just slander, IMO. If this data was stolen from a database, where Target was saving CC data that they should not be saving, then A) there wouldn't be such a short window of time (you don't compromise a window of records in a database, it's all or nothing) and B) its highly likely that target.com's CC data would have been compromised too.
Secondly, the throwing the encryption for data in transit subject in with the encryption for data at rest issue is poor timing. PCI requirements for encryption are different for data at rest and data in motion, and CC data is NOT required to be encrypted, according to the PCI DSS, unless it is traveling over a public network (the internet) or over wireless networks. In fact, most banks / acquirers can't even support end-to-end encryption for CC transactions. There are a very limited number of acquirers that can support E2E encryption, and most of those are new niche businesses that are providing a new model for transaction encryption.
While it's easy for these "experts" to sit back and say how everything should be encrypted and secured tight as can be, its careless to make accusations that Target wasn't doing everything that they could to prevent this. We are talking about a system for credit processing that pre-dates the internet, and the everything is connected world. Businesses are trying to play catchup to secure these systems while leveraging new technology to make their supply chain more efficient and reduce costs with tech.
I have NO ties to Target, and I am not here to defend them. I am however the lead Security Architect for a mid-size, national retailer, in charge of PCI compliance and CC transaction security, so I have personal experience living up to the PCI DSS, and trying to balance business requirements with customer protection. I have no issue burning them at the stake if they are to blame, but let's get the FACTS before we indict Target. There are PLENTY of scenarios where Target could have been doing EVERYTHING right, and still have this happen.