Target on Thursday confirmed that its payment card data was compromised in its stores with 40 million accounts affected.

The retailer was confirming a report Wednesday that the breach had occurred. The breach was first reported by Krebs on Security. Customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code) were breached, according to a letter to customers.

According to the company, 40 million credit and debit cards were breached between Nov. 27 and Dec. 15. Target said it alerted law enforcement and financial institutions immediately. The company added that it has "identified and resolved the issue."

Target added that it is working with a third-party forensics firm to investigate the incident.

Security experts raised eyebrows at the fact CVV codes were breached.

Forrester analyst John Kindervag said:

This is a breach that should've never happened. The fact that three-digit CVV security codes were compromised shows they were being stored. Storing CVV codes has long been banned by the card brands and the PCI SSC. Without knowing the exact breach vector it's hard to say exactly what happened, but clearly by exposing CVV information target has demonstrated a blatant disregard for PCI DSS compliance regulations as well as card security best practices. It's a brand disaster at the busiest shopping time of the year.

Also see: 10 innovation takeaways with Target CIO Beth Jacob