Did the Target Data Breach Change Consumer Assessments of Payment Card Security?

2016 • No. 16–01
By Claire Greene and Joanna Stavins

Full Text Document (pdf)

Security of payments has long been identified as an important aspect of the consumer payment experience and is receiving renewed attention in the wake of highly publicized cybercrimes. On January 26, 2015, following an intensive, 18-month research effort, the Federal Reserve released a plan entitled, “Strategies for Improving the U.S. Payment System,” identifying security improvements as one of its top initiatives. On December 19, 2013, Target Corporation announced that hackers may have gained access to payment card data for 40 million credit and debit card accounts used in its stores in the 19 days between November 27 and December 15, 2013. The breach was widely reported, beginning on the evening of December 18. The announcement of the Target breach in late 2013 provides an opportunity to test whether news about payment security breaches changes the way consumers evaluate and use payment instruments.

  • Key Findings

    • Controlling for possible confounding effects of demographic differences between the two groups, ratings by consumers who assessed the security of personal information of debit cards shortly after the breach were lower than ratings by consumers who responded before the breach was reported. On average, the rating on the payment instruments was 11.3 percent lower shortly after the Target breach.
    • Based on prior research on the impact of security assessments on payment instrument, we would expect a small (economically insignificant) decline in debit card use from this lower rating. However, we find no statistically or economically significant change in debit card use from 2013 to 2014. For credit cards, there was no difference in the ratings given by consumers who responded to the survey before the breach was reported and the ratings of those who responded after announcement of the breach.
  • Exhibits

  • Implications

    While the security ratings and survey completion times (pre- or post-breach) are correlated, the authors of this report find no evidence that the Target breach announcement caused any long-term effects on changes in payment behavior.