Hackers who stole data for up to 40 million credit cards and debit cards used in Target stores removed encrypted data containing personal identification numbers — but the theft isn't expected to compromise cardholder accounts — the company said Friday.
"We remain confident that PIN numbers are safe and secure," said a statement issued Friday by Target spokeswoman Molly Snyder.
According to the company, Target does not have access to or store the encryption key within the company's computer systems. When a Target customer uses a debit card in one of the company's stores and enters his or her PIN, the number is encrypted at the keypad with a widely used security program known as Triple DES, the company said.
Triple DES is the common name for the Triple Data Encryption Algorithm, a standard designed to thwart efforts to crack encrypted data. The PIN data can only be decrypted when it is received by the company's external payment processor, Target said.
"What this means is that the 'key' necessary to decrypt that data has never existed within Target's system and could not have been taken during this incident," the company said, adding "the most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken."