Target confirmed today that the hackers behind the data breach that compromised some 40 million debit and credit cards also stole customers' encrypted personal identification numbers (PINs) in the attack.
"This morning, through additional forensics work, we were able to confirm that strongly encrypted PIN data was removed," Target spokeswoman Molly Snyder said in an email. "We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system and remained encrypted when it was removed from our systems."
Target previously said that encrypted data had been stolen, but stopped short of saying it included consumers' PINs.
Snyder said the "key" necessary to decrypt the PINs was not stored by Target, so the thieves could not have that key.
"The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken," Snyder said.
Stay vigilant, take steps to secure your debit card
Still, experts say people who used their debit cards at Target between Nov. 27 and Dec. 15 -- the time of the breach -- should take extra steps to protect themselves.
"PIN compromise is much more serious than just losing the data from the magnetic stripe on a card," says Shirley Inscoe, senior analyst with Aite Group. She said that stolen magnetic stripe data can be used to make counterfeit cards and make purchases, but thieves that also have PINs can withdraw cash from ATMs around the world.
Yaron Samid, founder and chief executive of Billguard, which monitors its users' card accounts for fraud, agrees: "If in fact your PIN was stolen, there is a risk that hackers can walk up to an ATM and pull money out of your account."
If money is stolen from your debit card account, your bank may not replace that money while it looks into the matter. If you need to use that money to pay bills, you could be out of luck until your bank resolves the issue.
"It's more important to be safer with debit than credit cards," says Brian Riley, senior research director at CEB TowerGroup. "You're using your bank's money with a credit card as opposed to your own."
Tips from experts to help keep your debit card safe:
Change your PIN.
Samid says consumers should change their PINs regularly to avoid fraud. He suggests changing your PIN once per month, although he acknowledges that, realistically, most consumers won't follow his advice.
Check the activity on your card.
"There is no better solution or alternative to a consumer than simply checking your card activity regularly," Samid says. Consumers who used their debit cards at Target during the breach window should be aware that even if they don't see fraudulent activity immediately, the card can be used for fraud later.
Aite Group's Inscoe agrees. "Thieves may wait months to use this data, so (consumers) should continue this monitoring going forward and not grow complacent," she says.
Consumers shouldn't just be checking for major fraudulent purchases. They should scrutinize "micro-charges" -- small charges of $2 or less that criminals use to validate whether a card is still active.
Since most consumers don't worry about small amounts, those fraudulent micro-charges sometimes are overlooked.
Get a new card.
While experts disagreed on whether this step was necessary, CEB's Riley says his wife changed her debit card as soon as news of the Target hack broke out.
"If you went shopping at Target, you should probably do what my wife did," Riley says. "Cancel and get a new card. Period. End of story."
But Billguard's Samid says that may not be necessary for many consumers. "You don't have to rush to cancel your card," he says, noting that if all 40 million people who were potentially affected did that, it would cause havoc.
He said that only a small percentage of people who are breached actually see card fraud.
If you do see a troubling transaction, report it immediately. You are not liable for any fraudulent transactions on your debit card as long as your debit card is still physically in your possession if you report the unauthorized transactions within 60 days of the fraudulent transaction showing up on your statement, according to the Federal Trade Commission.
"The bank will fully reimburse you if you report in a timely period," says Doug Johnson, vice president of risk management policy at the American Bankers Association.
Do you feel that you're being vigilant enough in securing your debit card?
Follow me on Twitter: @allisonsross.