Target: 'Strongly Encrypted' PIN Numbers Taken During Security Breach

Updated: 12/27/2013 11:47 AM By: Megan Stewart

Through forensic work, Target believes that while PIN numbers were stolen during a recent security breach, an encryption system should mean that they have not been compromised, the company said Friday.

This means debit cards used during the hack period, from Nov. 27 through Dec. 15, are believed to be safe, the company said.

The PIN numbers were encrypted within Target's system and cannot be decoded without a third party payment processor, the company said in a statement:

Our investigation into the data breach incident is continuing and ongoing. While we are still in the early stages of this criminal and forensic investigation, we continue to be committed to sharing the facts as they are confirmed.

While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.

To help explain this, we want to provide more context on how the encryption process works. When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S. 

Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the “key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.

The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken.

On Saturday, nearly 2 million Chase debit card holders were notified that they will not be able to make more than $300 in purchases a day, or withdraw more than $100 a day, until their cards have been replaced. The bank later upped the limits to $250 in cash and $1,000 in spending.

The Target investigation is ongoing.