Retailers often worry that their customers won't return after a breach, but as logical as this expectation is, it may be far from the truth.
Recent research from the Merchant Acquirer Committee indicates consumers do return to merchant locations after a breach fairly quickly and, even more telling, many are never aware of a breach to begin with.
In every publicized data breach of the past few years, consumers returned to the location within three months after the breach. Thirteen percent of respondents to a survey asking about breach awareness and consumer loyalty said they were not aware of the incidents, and only 2% indicate they had not returned to those affected stores.
While many security vendors claim customers won't come back and a data breach hurts brand recognition, it appears to be true only in the short term, said data security consultant Branden Williams, a member of the MAC board who conducted the research for the organization.
"In the long term, there is no data that backs up the notion that a breach is going to wreck you," he added.
Williams conducted the survey with MAC during the second half of 2015, getting responses from 1,031 U.S. consumers with credit or debit cards. The survey cited the top 15 publicized data breaches of the past three years, among them Target in December of 2013, Neiman Marcus and Michael's, both in January of 2014, Home Depot in September of 2014 and Toys R Us in March of 2015.
Gender breakdown of respondents was even at 50% male and female, with 13% between ages 18 and 29, and 31% between 30 and 44. Those between ages 45 and 59 accounted for 40%, while 16% were older than 60.
Ultimately, MAC wants the research to alert merchants that protecting the security of payment flow remains critical with encryption and tokenization managed by a payment processor or acquirer. But they can rely on the majority of their customers sticking with them.
"It is still very important for a merchant to avoid a breach because they do have an impact on costs, but it is different from consumers not returning," Williams said. "They need to spend money to protect themselves from a huge asset drop because of the costs involved with cleaning up the breach, not to placate a consumer contingent."
Despite the breaches affecting card data, 79% of consumers continue to favor card payments over cash (16%) or checks (1%) at the retailers after a breach, the research showed.
Though consumer awareness of breaches was poor in general, they were aware of Target (81%) and Home Depot (38%) breaches the most. From a demographic standpoint, those in the 54 to 64 age group were most aware, probably being more inclined to follow the news.
Only 7%, or 75 respondents, said they had not returned to a breached retailer to shop in the year following the breach. The biggest reason consumers cited was they did not have a loyal track record at the retailer to begin with, as 70% of those said they did not shop regularly at the merchant location even before the breach. Only 4% said they took their business to a competitor that they perceived to be more secure, while 2% specifically cited the breach as the reason for not returning in that 12-month period.
While it was not part of the research questions, the growth of Amazon as a Web-based shopping option might also keep consumers away from a retailer for a period of time, Williams noted.
More information is being made available about the dangers of weak passwords and what can occur in the aftermath of a breach, but the average consumer is surely not paying as much attention as those in the payments industry, Williams added.
The payments industry is increasingly turning to technology that removes the traditional username and password authorization for online accounts.
"It is becoming known that Uber credentials are more valuable than credit card credentials," Williams said. "We tie our payment mechanisms to a number of different accounts that we might use on a daily or weekly basis, probably using the same password for all of those."
The MAC is an organization of bankcard professionals involved in the risk management side of card processing, with banks, independent sales organizations, card associations and risk management experts as members.