Decoupled debit cards, which draw funds from an account at a separate issuer, are typically framed as a low-cost alternative to cards issued by credit unions and banks.
But in the wake of the
Target's popular Redcard debit cards were among the 40 million accounts compromised in a data breach disclosed last week. These cards draw funds from a consumer's existing checking account and can be used only at Target stores.
The Target debit card was accepted for 10.4% of all U.S. Target sales in the company's third quarter, which ended Nov. 2, according an earnings statement.
Despite the debit cards' widespread use, fraudsters may not be interested in that portion of the haul, said Richard Crone, chief executive of San Carlos, Calif.-based payments consulting firm Crone Consulting LLC.
"Skimming the 16 digits on Target's proprietary decoupled debit Redcard will probably not even be pursued by the fraudsters who captured that number because it can only be used inside Target," Crone said. "The proprietary Target card represents another reason merchants may want their own card because it can mitigate risk, too."
Though a swiped Redcard debit transaction would give access to funds in the user's bank account, the card does not provide access to account information that can be used at other stores.
"When the consumer swipes that card, they are not presenting the routing and transit number nor the demand-deposit account number that is used to clear the payment," Crone added. "It is all controlled, secured and encrypted behind Target's firewall, and it appears that was not affected."
Target's debit cards essentially use a token that stands in for the bank's routing and account information. (Target also offers a credit card under its Redcard brand. These cards are issued by TD Bank.)
If the payments industry was starting from scratch today, no one would pass actual payment credentials through the point of sale, according to Crone. For security purposes, a modern payment card would function like decoupled debit cards do.
"It's just ludicrous that we even pass payment data through a merchant terminal and to the acquirer and then back to the merchant," he said.
Target's debit cards are creating an unusual
Executives at the $29 million credit union in Omaha, Neb., said they regretted having to block 150 debit cards late Friday night to protect members’ accounts.
But FFFCU scrambled, calling all 150 and letting them know they can still use their blocked debit card at the new CO-OP NextGen ATM outside the credit union
Target cannot say how the decoupled debit cards fit into the mix of stolen accounts or whether they are at less risk, according Molly Snyder, a spokesman for the company.
"I don’t have the details to provide you with answers to those questions," Snyder wrote in an e-mail. "This is an ongoing investigation."
Hackers likely intercepted account data at the back end of Target's payment network, a task made easier by the mag-stripe card's limitations, said Siva Narendra, CEO of Tyfone Inc.
"A breach of Target's magnitude is really unacceptable in payments and it will be intolerable in other places like health care, critical infrastructure, business secrets and secrets of the nation," Narendra stated in an email.
