Target publicly acknowledged on Dec. 19 that its U.S. retail stores had been the victim of a data breach.
In a public media update published Dec. 27, Target stressed that its customers’ PIN information was strongly encrypted using the Triple Data Encryption Standard (DES).
“The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems,” Target stated.
Going a step further, Target noted that it does not hold the Triple DES encryption keys within its own system and the data can only be decrypted by a payment processor.
“What this means is that the key necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident,” Target stated. “The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken.”