Overview

In light of the TJX saga, issuers will no longer passively accept the costs incurred from lost cardholder data that is no fault of their own. Merchants, on the other hand, view PCI compliance as costly and burdensome, and of little value beyond “compliance”. Rather than point fingers and assess blame, all industry participants must understand the necessary steps to secure cardholder data efficiently and cost effectively. Furthermore, it is imperative to recognize how consumer behavior is affected by data breaches. This report provides an in depth analysis of consumers’ attitudes and perceptions regarding data breaches paired with a case study of the TJX data breach. This detailed analysis of extensive consumer research delineates specific action plans for merchants’ and issuers’ communication and security policies.

Primary Questions

• How do consumer perceptions match the reality of data breach sources and results?
• Who do consumers hold responsible for protecting their security interests?
• Who do consumers believe is doing a good job of protecting their security interests?
• What do consumers believe merchants and issuers must do in the event of a data breach?
• What best practices can affect real and perceived security?
• What can lessons can be learned from the TJX data breach?

• Overview
• Primary Questions
• Findings & Analysis
• Identity Fraud Fears Are Rising
• Consumers Worry about Increasing Identity Fraud
• Fears about Identity Fraud Growth Are Unsubstantiated
• More Consumers See an Increase in Credit Card Fraud than Debit Card Fraud
• Almost Two of Five Consumers Became Data Breach Victims Last Year
• Security Is a Group Effort, with Merchants Viewed as Weakest Link
• Credit Card Companies Alone Not Primarily Responsible for Data Security
• Tensions Evolve over PCI Compliance
• Consumers, Credit Card Companies and Merchants Bear Equal Responsibility to Do More to Prevent Fraud
• Merchants Viewed as Worst in Data Protection
• Banks Best in Protecting Consumer Data
• Notification Increases Trust and Favorable View of Issuers
• Company Where Breach Occurs Has Responsibility to Notify Consumers
• Two-Thirds of Consumers Trust Banks to Assess Risk in Data Breach Notification
• Notification Increases Favorable View of FIs
• Perceived Security of Retailer Strongly Affects Shopping Habits
• Retailers Identified as Source of Most Stolen Card Information
• Three out of Four Consumers Unlikely to Continue Shopping at a Merchant Where a Data Breach Occurs
• Security Leaders Reap Rewards of Loyal Customers: the Case for PCI Branding
• Best Practices to Affect Real and Perceived Security
• Protection is a shared responsibility
• What Must Merchants and Issuers Do in the Face of a Data Breach?
• Case Study-TJX Data Breach
• Notify customers of security breaches on a timely basis
• Release information that is as complete and accurate as possible
• Protect your consumer’s private data and do not keep unnecessary information from past transactions
• Scan regularly for abnormal activity and keep logs of all network activity
• Attain and maintain PCI compliance, but realize compliance is not a panacea
• Who will pay the piper?
• Related Research
• Appendix
• PCI Security Standards
• Data Breaches Rarely Result in Fraud
• Online Access Accounts for Only 16% of Identity Frauds
• Consumers Identify Merchants as Most Likely Culprits in any Data Breach
• Almost One of Every Five Consumers Received Replacement for Compromised Card Last Year

Table of Figures

• Figure 1: Consumer Beliefs about Identity Fraud
• Figure 2: Numbers of Victims (in Millions) and One-Year Incidence Rates
• Figure 3: Consumer Perceptions of Credit and Debit Card Fraud
• Figure 4: Consumers’ Chances of Becoming a Victim
• Figure 5: Consumers’ Views on Who Holds Primary Responsibility for Data Security
• Figure 6: Consumer Views on Who Has Primary Responsibility to Do More to Prevent Fraud
• Figure 7: Consumer Viewpoint: Who Is Least Secure in Protecting Account Information?
• Figure 8: Consumer Viewpoint: Who Is Most Secure in Protecting Account Information?
• Figure 9: Consumers’ Perspectives on Notification Responsibility in a Data Breach
• Figure 10: Consumers’ Reliance on Banks to Decide Whether to Notify in a Data Breach
• Figure 11: Consumers’ Perspectives on How Data Breach Notification Affects Opinion
• Figure 12: Consumers’ Opinions on Who Is Most Likely to Be at Fault in a Data Breach
• Figure 13: Consumers’ Reaction to Data Breach at Merchant
• Figure 14: Consumers’ Inclinations to Shop at Merchants Who Are Security Leaders
• Figure 15: TJX Data Breach Timeline
• Figure 16: Data Breaches Resulting in Fraud for Consumers
• Figure 17: Sources of Identity Fraud
• Figure 18: In a Breach, Aside from Criminals, Who Do Consumers Think Is Most at Fault?
• Figure 19: Consumers’ Reporting of Card Replacements Due to Security Concerns