In Target Breach, Decoupled Debit Adds Unexpected Protection

Decoupled debit cards, which draw funds from an account at a separate issuer, are typically framed as a low-cost alternative to bank cards. But in the wake of the massive Target Corp. data breach, security may have suddenly become the product's biggest selling point.

Target's popular Redcard debit cards were among the 40 million accounts compromised in a data breach disclosed last week. These cards draw funds from a consumer's existing checking account and can be used only at Target stores. The Target debit card was accepted for 10.4% of all U.S. Target sales in the company's third quarter, which ended Nov. 2, according an earnings statement.

Despite the debit cards' widespread use, fraudsters may not be interested in that portion of the haul, says Richard Crone, chief executive of San Carlos, Calif.-based payments consulting firm Crone Consulting LLC.

"Skimming the 16 digits on Target's proprietary decoupled debit Redcard will probably not even be pursued by the fraudsters who captured that number because it can only be used inside Target," Crone says. "The proprietary Target card represents another reason merchants may want their own card because it can mitigate risk, too."

Though a swiped Redcard debit transaction would give access to funds in the user's bank account, the card does not provide access to account information that can be used at other stores.

"When the consumer swipes that card, they are not presenting the routing and transit number nor the demand-deposit account number that is used to clear the payment," Crone says. "It is all controlled, secured and encrypted behind Target's firewall, and it appears that was not affected."

Target's debit cards essentially use a token that stands in for the bank's routing and account information. (Target also offers a credit card under its Redcard brand. These cards are issued by TD Bank.)

If the payments industry was starting from scratch today, no one would pass actual payment credentials through the point of sale, Crone contends. For security purposes, a modern payment card would function like decoupled debit cards do.

"It's just ludicrous that we even pass payment data through a merchant terminal and to the acquirer and then back to the merchant," Crone says.

Target's debit cards are creating an unusual customer service issue for banks with customers affected by the breach. Even if the bank's account was a funding source for a consumer's Redcard debit card, the bank must defer to Target for any customer issues.

PNC, for example, published a customer service page with a note about the Redcard, instructing breach victims to contact Target directly.

Target cannot say how the decoupled debit cards fit into the mix of stolen accounts or whether they are at less risk, says Target spokesperson Molly Snyder.

"I don’t have the details to provide you with answers to those questions," Snyder states in an e-mail. "This is an ongoing investigation."

Hackers likely intercepted account data at the back end of Target's payment network, a task made easier by the mag-stripe card's limitations, says Siva Narendra, CEO of Tyfone Inc.

"A breach of Target's magnitude is really unacceptable in payments and it will be intolerable in other places like health care, critical infrastructure, business secrets and secrets of the nation," Narendra says in an email.