Target: Encryption System Should Protect PIN Numbers Accessed During Data Breach

Target has announced that debit and credit card data obtained during a data hacking situation from Nov. 27 through Dec. 15  included “strongly encrypted data,” including PIN numbers. However, the company maintained, the “key” necessary to decrypt the information was not accessed.

According to Target, more than 40 million customers who used debit or credit cards at the retailer’s checkouts during the Nov. 27 to Dec. 15 timeframe were exposed to potential fraud. Hackers retrieved customer names, credit or debit card numbers, expirations dates and encrypted security codes, Target noted.

The company is now saying that encrypted information, while taken, would be virtually inaccessible because of the company’s encryption process.

“We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems,” the company said in a statement.

At Target stores, the company continued, PIN data is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.  The retailer does not have access to nor does it store the encryption key within its system, and PIN information encrypted within Target’s systems can only be decrypted when it is received by the company’s external, independent payment processor, it continued in the statement. The “key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident, the company added.

Target will continue to investigate the data breach and share the facts as they are confirmed.