Customers have "zero liability" on most debit accounts, but there are questions about which party—the bank in question, Target , or industry authorities—will ultimately be found liable. (A Target statement at the time the breach was disclosed only sought to reassure guests they would not be held financially responsible.)

"I'm basically relying on my checkbook," Johnson told CNBC, saying he used a check to fill up his gas tank at Casey's General Store on New Year's Day. For stores that no longer accept local checks, he's had to use cash he stockpiled from a visit to a local bank branch.

Nate Johnson, 26, of Gowrie, Iowa, got a notice from Security Savings Bank this week that it would be blocking all customer transactions. The decision to block all transactions came from "recent fraudulent activity occuring [sic] on customers' compromised cards," according to the bank's message.

Three weeks after news broke that 40 million accounts of Target shoppers were breached in a widespread hack, some customers of smaller banks are beginning to feel the repercussions.

Citigroup and Wells Fargo, for instance, have been monitoring accounts for fraudulent activity on a case-by-case basis but have stopped short of initiating customer-wide policies.



Of the country's largest banks, only Chase has taken similar actions on customer accounts to thwart potential fraud. Chase has clipped spending by affected debit customers to $250 at ATMs and $1,000 on purchases—and banned any debit usage overseas.

Kristin Lemkau, a spokeswoman for Chase, said each of the roughly 2 million cards compromised by the breach should be replaced by the end of next week.



In the meantime, small financial institutions have faced an uphill battle since they lack the infrastructure to produce new cards quickly and the budgets to cover potential fraud incidents.



(Read more: )

Ryan Avery, who banks at North Dakota's First Western Bank and Trust, found that out the hard way when he tried to purchase a song on Apple's iTunes on Christmas Eve. First Western had, days earlier, blocked cardholders from any transactions that did not involve a personal identification number. Since then, the bank has begun allowing transactions in North Dakota—but nowhere else, until the cards are replaced.

"In order to buy anything online, I have to contact (the bank) first to confirm any purchases," Avery told CNBC. "They unblock my card for an hour, then promptly block it again right away."



A representative for First Western confirmed that a ban on transactions in North Dakota has been lifted, but declined to provide any other details on the actions the bank is taking.



Consumers have already begun suing Target for such consequences. On Dec. 23, Target shopper Janice McCarter filed a class-action lawsuit in the Northern District of Illinois on behalf of customers, citing Target's alleged "failure to reasonably and properly secure" their data.



Target declined to comment on pending litigation, or specific customer complaints.



The National Association of Federal Credit Unions has sent a letter to congressional leaders calling for retailers to be subject to the same standards of data security as the banking industry.



"Credit unions and other financial institutions—not retailers and other entities—are out front protecting consumers, picking up the pieces after a data breach occurs."

—By CNBC's Kayla Tausche. Follow her on Twitter @kaylatausche.