Consumers Care About Security A Lot Less Than They Say They Do

Written by Evan Schuman
April 12th, 2007

Despite surveys showing that consumers say they would shun merchants who have lax security methods, a new earnings report from famed security bad boy TJX on Thursday showed a better-than-expected 11 percent boost in revenue.

With all of the investigations and probes surrounding the massive TJX data breach?including class-action lawsuits, dozens of state Attorney General probes, congressional inquiries and a Federal Trade Commission investigation, to name just a few?there are only two constituencies that the $16 billion retailer cares about: Wall Street and its customers.

Indeed, that short list can be cut in half because Wall Street also overwhelmingly cares about the retailer’s customers, which is equal to revenue. If the customers are happy, Wall Street is happy.

So are customers happy? They tell pollsters they’re not, but the earnings report suggests they are talking with those pollsters on their cellphone as they are buying jeans at Marshalls.

This is nothing new. This column has written before about the huge unintended impact that credit card zero liability plans have had on retail security efforts. Consumers believe that they will personally never be ripped off, but if they are, their credit cards will somehow protect them.

The vicious cycle comes down to this: large retailers are watching the TJX case very closely and they are going to learn some very bad lessons. They already assume that they probably won’t get hacked and that if they do, it won’t be bad. And if it is bad, they’ll be able to keep it somewhat quiet (reality is not the exec’s friend in these thought processes). And if it does get out, what’s the worst that could happen? TJX has gotten an avalanche of horrible publicity and their revenue grew 11 percent.

Yes, the various probes and the credit card folk will likely assess some fines, but it’s not likely to be anything that will materially impact profits (heaven forbid). Even the class-action lawsuits will likely merge, fizzle and quietly settle out of court with lots of confidentiality agreements. Here again, the zero liability programs limit how much financial harm any consumer is likely to feel, which makes it difficult to get huge settlements.

But consumers don’t always understand how they’ll act. In a report this week from Javelin Strategy & Research, a nationwide survey of 1,200 credit or debit cardholders found that “only 20 percent said they would likely continue shopping at a store if they learned it had a data breach that may have compromised their card account information, while 78 percent said they would be unlikely to continue to shop there.”

The problem with analyzing such results is that people make decisions about survey answers in a hypothetical ideal state. Indeed, they may like to say that they would never frequent such a merchant. But when they need clothing for their child and there’s this awesome sale at TJ Maxx two blocks away, the platonic ideal of punishing reckless security deployments pales in comparison to finding jeans that fit well at a good price.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.