While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.
Target further explains how the encryption works:
When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.
Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the “key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.
This is the response Target should have issued from the beginning, rather than giving the impression that the Reuters report was bogus. Or, if Target was just trying to make absolutely sure that encrypted PINs were stolen, a simple “we’re still working to confirm this” would have been better than PR doublespeak.
Still, let’s give Target some credit for a proper explanation, even if it’s a bit overdue.