If the POS terminals were compromised, attackers could have retrieved CCV1 numbers at the point of reading the card. In other words, it's still possible Target complied with the PCI requirement of not storing CCV numbers. But since nobody knows how the attack happened, it's all just speculation.
