But company says it is "confident that PIN numbers are safe and secure."
"The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems," Target said in a statement.
The company explained in its statement that the PIN number is encrypted at the keypad, and Target does not have access to the encryption key.
"The PIN information is encrypted within Target's systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the 'key' necessary to decrypt that data has never existed within Target's system and could not have been taken during this incident," Target said in a statement.
Target said data connected to about 40 million credit and debit card accounts were stolen between Nov. 27 and Dec. 15. More than a dozen Target customers have filed federal lawsuits around the country, with some accusing Target of negligence in failing to protect customer data.
Target says the company is investigating, but it has not disclosed exactly how the breach occurred. Customers who see suspicious charges on their statements were advised to report them to their credit card companies and call Target at (866) 852-8680.
The Associated Press contributed to this report.