Target says it continues its investigation into a data breach that compromised approximately 40 million customers’ debit and credit card information.
“While we are still in the early stages of this criminal and forensic investigation, we continue to be committed to sharing the facts as they are confirmed,” Target says in a statement posted on its website.
“While we previously shared that encrypted data was obtained,…through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system and remained encrypted when it was removed from our systems.”
Target explains that when a guest uses a debit card in its stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S., according to the Minnesota-based retailer.
“Target does not have access to nor does it store the encryption key within our system,” the company says. “The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.”
The unauthorized access to took place in U.S. Target stores between Nov. 27 and Dec. 15. Canadian stores and target.com were not affected.
1 Comment