Data Breaches and Buyer Behavior: Moving PCI Compliance from Costly Burden to Competitive Advantage

Transcription

1 Moving PCI Compliance from Costly Burden Unfolding TJX Saga Reveals Consumer Differentiation Opportunity within Merchants Security Implementation March 2007

2 Overview In light of the TJX saga, issuers will no longer passively accept the costs incurred from lost cardholder data that is no fault of their own. Merchants, on the other hand, view PCI compliance as costly and burdensome, and of little value beyond compliance. Rather than point fingers and assess blame, all industry participants must understand the necessary steps to secure cardholder data efficiently and cost effectively. Furthermore, it is imperative to recognize how consumer behavior is affected by data breaches. This report provides an in depth analysis of consumers attitudes and perceptions regarding data breaches paired with a case study of the TJX data breach. This detailed analysis of extensive consumer research delineates specific action plans for merchants and issuers communication and security policies. Primary Questions How do consumer perceptions match the reality of data breach sources and results? Who do consumers hold responsible for protecting their security interests? Who do consumers believe is doing a good job of protecting their security interests? What do consumers believe merchants and issuers must do in the event of a data breach? What best practices can affect real and perceived security? What can lessons can be learned from the TJX data breach? Case Study: TJX Data Breach Unfolding Saga Reveals Consumer Differentiation Opportunity within Merchants Security Implementation This merchant study will explore the many facets of the TJX Companies data breach, in which 45.7 million cards and 455,000 personal records were compromised, to evaluate the handling of a security breach and to demonstrate how to integrate consumer preferences into data security. Audience: Author: Contributors: Merchants, Card Processors, Networks, Issuers, Acquirers, ISOs Mary T. Monahan, Editor and Analyst Bruce Cundiff, Senior Analyst James Van Dyke, President and Founder Publication date: March 2007 Price: $1250 Length: 35 pages 19 charts/graphs

3 Table of Contents Overview Primary Questions. 4 Findings & Analysis Identity Fraud Fears Are Rising.. 5 Consumers Worry about Increasing Identity Fraud. 5 Fears about Identity Fraud Growth Are Unsubstantiated... 6 More Consumers See an Increase in Credit Card Fraud than Debit Card Fraud... 7 Almost Two of Five Consumers Became Data Breach Victims Last Year... 8 Security Is a Group Effort, with Merchants Viewed as Weakest Link... 9 Credit Card Companies Alone Not Primarily Responsible for Data Security.. 9 Tensions Evolve over PCI Compliance. 11 Consumers, Credit Card Companies and Merchants Bear Equal Responsibility to Do More to Prevent Fraud.. 12 Merchants Viewed as Worst in Data Protection Banks Best in Protecting Consumer Data. 14 Notification Increases Trust and Favorable View of Issuers.. 15 Company Where Breach Occurs Has Responsibility to Notify Consumers. 15 Two-Thirds of Consumers Trust Banks to Assess Risk in Data Breach Notification. 16 Notification Increases Favorable View of FIs 17 Perceived Security of Retailer Strongly Affects Shopping Habits 18 Retailers Identified as Source of Most Stolen Card Information 18 Three out of Four Consumers Unlikely to Continue Shopping at a Merchant Where a Data Breach 19 Occurs. Security Leaders Reap Rewards of Loyal Customers: the Case for PCI Branding 20 Best Practices to Affect Real and Perceived Security. 21 Protection is a shared responsibility What Must Merchants and Issuers Do in the Face of a Data Breach?... 23

4 Table of Contents (Continued) Case Study TJX Data Breach Notify customers of security breaches on a timely basis Release information that is as complete and accurate as possible.. 26 Protect your consumer s private data and do not keep unnecessary information from past transactions Scan regularly for abnormal activity and keep logs of all network activity Attain and maintain PCI compliance, but realize compliance is not a panacea.. 27 Who will pay the piper? Related Research.. 29 Appendix. 30 PCI Security Standards 30 Data Breaches Rarely Result in Fraud.. 31 Online Access Accounts for Only 16% of Identity Frauds.. 32 Consumers Identify Merchants as Most Likely Culprits in any Data Breach Almost One of Every Five Consumers Received Replacement for Compromised Card Last Year 34

5 Table of Figures Figure 1: Consumer Beliefs about Identity Fraud... 5 Figure 2: Numbers of Victims (in Millions) and One-Year Incidence Rates. 6 Figure 3: Consumer Perceptions of Credit and Debit Card Fraud 7 Figure 4: Consumers Chances of Becoming a Victim 8 Figure 5: Consumers Views on Who Holds Primary Responsibility for Data Security.. 9 Figure 6: Consumer Views on Who Has Primary Responsibility to Do More to Prevent Fraud Figure 7: Consumer Viewpoint: Who Is Least Secure in Protecting Account Information? Figure 8: Consumer Viewpoint: Who Is Most Secure in Protecting Account Information? Figure 9: Consumers Perspectives on Notification Responsibility in a Data Breach 15 Figure 10: Consumers Reliance on Banks to Decide Whether to Notify in a Data Breach.. 16 Figure 11: Consumers Perspectives on How Data Breach Notification Affects Opinion.. 17 Figure 12: Consumers Opinions on Who Is Most Likely to Be at Fault in a Data Breach 18 Figure 13: Consumers Reaction to Data Breach at Merchant.. 19 Figure 14: Consumers Inclinations to Shop at Merchants Who Are Security Leaders. 20 Figure 15: TJX Data Breach Timeline 25 Figure 16: Data Breaches Resulting in Fraud for Consumers Figure 17 Sources of Identity Fraud Figure 18: In a Breach, Aside from Criminals, Who Do Consumers Think Is Most at Fault? Figure 19: Consumers Reporting of Card Replacements Due to Security Concerns... 34

6 Companies/Organizations Mentioned in Report Fifth Third Bank Mastercard TJX Additional Report Topics Tylenol Visa Branding PCI Compliance Breach Notification Costs Data Breach Case Study Data Breach Notifications (Disclosure Laws) Debit Card & Credit Card Fraud Perceptions Payment Card Industry Compliance PCI DDS Reissuance Fees Sample Pages

7 Health Savings Accounts: Focus on Transactions and Product Development Will Lead to Asset Growth Target Place Your Order as Follows: 1) Call us at , x26 2) us at 3) Fax or Mail using the form below: Please send me the following report(s): Report Title Publication Date Price Name Title Organization Division or group Phone Fax Address Signature to confirm your order: Payment Method: [ ] Payment card [ ] Check Enclosed [ ] Invoice me Visa, MC, AE or Disc. card #: Exp date: / Name on Card: Signature For invoicing, provide PO number: (Invoicing is available to financial institutions or publicly owned firms) Note: Reports are provided in electronic PDF form only. Javelin reports are subject to standard terms and conditions, as described on our web site. Javelin will contact you in the future to provide our free research newsletter or other mailings. If you do not wish to receive our newsletter or other mailings, you may advise us of this. Your contact information will not be sold to other organizations.