Data Breaches and Buyer Behavior: Moving PCI Compliance from Costly Burden to Competitive Advantage

Table of Contents

• Overview
• Primary Questions
• Findings & Analysis
• Identity Fraud Fears Are Rising
• Consumers Worry about Increasing Identity Fraud
• Fears about Identity Fraud Growth Are Unsubstantiated
• More Consumers See an Increase in Credit Card Fraud than Debit Card Fraud
• Almost Two of Five Consumers Became Data Breach Victims Last Year
• Security Is a Group Effort, with Merchants Viewed as Weakest Link
• Credit Card Companies Alone Not Primarily Responsible for Data Security
• Tensions Evolve over PCI Compliance
• Consumers, Credit Card Companies and Merchants Bear Equal Responsibility to Do More to Prevent Fraud
• Merchants Viewed as Worst in Data Protection
• Banks Best in Protecting Consumer Data
• Notification Increases Trust and Favorable View of Issuers
• Company Where Breach Occurs Has Responsibility to Notify Consumers
• Two-Thirds of Consumers Trust Banks to Assess Risk in Data Breach Notification
• Notification Increases Favorable View of FIs
• Perceived Security of Retailer Strongly Affects Shopping Habits
• Retailers Identified as Source of Most Stolen Card Information
• Three out of Four Consumers Unlikely to Continue Shopping at a Merchant Where a Data Breach Occurs
• Security Leaders Reap Rewards of Loyal Customers: the Case for PCI Branding
• Best Practices to Affect Real and Perceived Security
• Protection is a shared responsibility
• What Must Merchants and Issuers Do in the Face of a Data Breach?
• Case Study-TJX Data Breach
• Notify customers of security breaches on a timely basis
• Release information that is as complete and accurate as possible
• Protect your consumer’s private data and do not keep unnecessary information from past transactions
• Scan regularly for abnormal activity and keep logs of all network activity
• Attain and maintain PCI compliance, but realize compliance is not a panacea
• Who will pay the piper?
• Related Research
• Appendix
• PCI Security Standards
• Data Breaches Rarely Result in Fraud
• Online Access Accounts for Only 16% of Identity Frauds
• Consumers Identify Merchants as Most Likely Culprits in any Data Breach
• Almost One of Every Five Consumers Received Replacement for Compromised Card Last Year

Table of Figures

• Figure 1: Consumer Beliefs about Identity Fraud
• Figure 2: Numbers of Victims (in Millions) and One-Year Incidence Rates
• Figure 3: Consumer Perceptions of Credit and Debit Card Fraud
• Figure 4: Consumers’ Chances of Becoming a Victim
• Figure 5: Consumers’ Views on Who Holds Primary Responsibility for Data Security
• Figure 6: Consumer Views on Who Has Primary Responsibility to Do More to Prevent Fraud
• Figure 7: Consumer Viewpoint: Who Is Least Secure in Protecting Account Information?
• Figure 8: Consumer Viewpoint: Who Is Most Secure in Protecting Account Information?
• Figure 9: Consumers’ Perspectives on Notification Responsibility in a Data Breach
• Figure 10: Consumers’ Reliance on Banks to Decide Whether to Notify in a Data Breach
• Figure 11: Consumers’ Perspectives on How Data Breach Notification Affects Opinion
• Figure 12: Consumers’ Opinions on Who Is Most Likely to Be at Fault in a Data Breach
• Figure 13: Consumers’ Reaction to Data Breach at Merchant
• Figure 14: Consumers’ Inclinations to Shop at Merchants Who Are Security Leaders
• Figure 15: TJX Data Breach Timeline
• Figure 16: Data Breaches Resulting in Fraud for Consumers
• Figure 17: Sources of Identity Fraud
• Figure 18: In a Breach, Aside from Criminals, Who Do Consumers Think Is Most at Fault?
• Figure 19: Consumers’ Reporting of Card Replacements Due to Security Concerns