On December 27, Target issued an official statementabout hackers' access to encrypted debit card PIN data along with the payment card numbers accessed during its breach event.
Some have wondered whether Target's claims regarding the encrypted PIN codes are accurate. Although Target has not provided us with enough details to make a firm assertion that they are in fact accurate, there is nothing in their statement to indicate they are inaccurate, either. The details they have disclosed all seem to align with what we know is true about the payment workflow: Customer PIN codes are encrypted on the keypad using encryption keys stored in a limited-feature Hardware Security Module (HSM), and the encrypted PINs are sent to Target's payment processor, where they are validated in an HSM on the processor side. In other words, neither the unencrypted PIN data nor the encryption keys ever touch any of Target's systems.