Target Corp. said cybercrooks gained access to "strongly encrypted" personal identification numbers when they hacked their way into its systems and collected data on about 40 million customer credit and debit card accounts during the holiday season.
The retailer said Friday that it remained "confident" that PINs were "safe and secure."
PINs are encrypted as customers enter them at keypads at checkout through a protection program known as Triple DES encryption, according to Target.
The PIN information stays encrypted within Target's system and "remained encrypted when it was removed," the Minneapolis company said.
The code can be cracked only when the information is received by Target's external, independent payment processor, according to the retailer.
"What this means is that the 'key' necessary to decrypt that data has never existed within Target's system and could not have been taken during this incident," the company said.
The retailer didn't address the possibility that hackers sophisticated enough to execute a break-in during prime shopping season — lasting from the crazed Black Friday weekend through Dec. 15 — might be able to outwit the encryption defense.
"The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken," Target said.
The company said its investigation into the incident is "still in the early stages" and "is continuing and ongoing."
Phony credit cards made with the stolen information already are being sold on the black market, according to some reports.
A senator from Connecticut is calling for a probe into Target's security infrastructure; several state attorneys general have asked for more information on the hack. Customers also have filed at least a dozen lawsuits.
After the breach, Target's perception among consumers hit its lowest point in more than six years, according to sentiment tracker YouGov BrandIndex.