Why Consumers Will Shrug Off The Marriott Breach
In 1954, mathematician L.J. Savage published research about how consumers process information when making decisions. Dubbed the sure-thing principle, Savage’s work showed that consumers consider a variety of inputs when making decisions. They also mentally bucket — and then disregard — inputs that may be important, but not important enough to change their minds about something they really want to do.
To make his point, Savage used the example of someone contemplating the purchase of real estate. For that person, the outcome of an upcoming election was regarded as relevant. After weighing the pros and cons of each election outcome, that person decided to buy the property anyway. The election outcome, while arelevant input, was not the relevant decision driver for someone who had already decided they wanted to own that piece of property.
If the sure-thing principle can be believed, then last week’s Marriott breach of 500 million customer records won’t have much of an impact on the consumer’s decision to book a hotel room at a Marriott property for their next trip.
What’s Real and What’s Relevant
Researchers say that consumers make 35,000 decisions a day. That’s about 2,000 decisions every hour, or one every two seconds. Those decisions vary greatly in importance, significance and context. Many are rote, routine, low-risk and made based on past experience — whether it’s cold enough outside to wear a hat or whether there’s enough time to stop by Starbucks to pick up a coffee on the way to the office.
Others are made on the basis of the desired outcome, the odds of personal downside risk and the friction associated with an alternative course of action.
For example, the fact that 90 people die every day in the U.S. in an auto accident doesn’t stop 138 million people from getting into their cars every day and driving to and from work. Driving is better than walking or, for many, even better than an alternative mode of transportation.
The same holds true each time a person steps on an airplane. Planes do crash, and when they do, it is horrific and many people usually die. But most people who fly don’t die in crashes, and more than 100,000 flights jam-packed with people take off and land safely every day, globally. In fact, researchers say that a person would have to fly once a day for 55,000 years before encountering a fatal act. Flying is safer than driving, or even probably walking, in Manhattan.
So, people continue to drive and step on an airplane since the odds of being personally impacted by an adverse event are quite slim. And the benefits of driving and flying far outweigh the alternatives.
People also keep shopping at merchants that were once hacked.
What’s Relevant in Retail
In December of 2013, Target was breached.
Hackers got off with some 41 million customer accounts, including payment card details. That breach cost then-CEO Gregg Steinhafel his job, and became the poster child for EMV and the need to lock down payment card security to protect against counterfeit fraud at the physical point of sale. Consumers were furious, and many vowed never to shop the store again, they said.
Until they did.
Foot traffic dropped in the months immediately following the breach, but analysts couldn’t discern how much of that was related to post-holiday shopping fatigue and how much was the result of breach backlash. It was reported that some consumers whose cards were compromised said they stopped using them at Target — while still shopping there — and reverted to cash instead.
Until that friction got in the way of consumers doing what they really wanted to do: shop at Target and check out using their credit and debit cards.
Which is exactly what they did.
Consumers who liked shopping at Target and found the experience easy and convenient continued to shop there, just like always.
Just as millions of consumers have kept shopping the many more merchants that have been breached since.
Consumers, analysts say, are numb to the breach news, brushing it off as “yeah, whatever” and continuing on with their lives. So, despite the headlines, for most consumers, it’s business as usual — no big deal and no big change.
That’s because, although merchant breaches may make the news, the reality of those breaches doesn’t touch the vast majority of consumers. There’s no change in behavior is because most consumers haven’t and won’t be impacted — and when they are, they won’t incur enough of a loss to force a change in their shopping behaviors.
For that, merchants can thank the banks and the payment networks.
Banks have invested billions in systems to detect and prevent fraud using stolen credentials, and to secure their networks from the hacks that could expose them. They continue to invest further in “true AI” tech and biometrics to further strengthen digital identity verification and authentication.
Consumers know that the banks have their backs, even in the face of breaches at the places where they routinely shop.
For proof, one need look no further than the Equifax hack, when the credentials of most every adult in the U.S. were laid bare and are now available for sale on the Dark Web.
On the one-year anniversary of that breach, it was reported that only 8 percent of consumers took Equifax up on their offer to freeze their credit reports. Fewer still cancelled their credit and debit cards.
Yet 90 percent of consumers have since taken proactive steps to monitor use of their payment credentials by either checking their accounts more regularly, setting up usage alerts or changing their PIN numbers in an abundance of precaution. More than half of consumers surveyed by Nerd Wallet believe that banks are doing enough to protect their information and keep it out of the reach of hackers.
It should then come as no surprise that it is the banks and the payments networks, including PayPal, that consumers trust to deliver innovative — and secure — payments and commerce experiences, according to the latest How We Will Pay study done in collaboration with Visa. Merchants — with the exception of Amazon, whom they also trust — fall way down on that list.
Even more interesting is that in that same study, more than three quarters of consumers report that data security and privacy concerns could keep them from taking full advantage of the payments and commerce innovations made possible by the myriad of connected devices that now enable them.
Yet consumer adoption and use of those innovations continues to grow. Just like consumers would probably say they would be less likely to fly following a horrific plane crash — yet still do.
Consumers trust their decisions to use those devices to shop and pay at merchants, because banks, payment networks and payments services providers continue to invest in the integrity of the payments ecosystem, and often insure consumers against loss.
That keeps the consumer’s confidence high in using payments products at the physical and now many virtual points of sale now available to them.
That’s why the compromise of 500 million Marriott customer records, second only to the Yahoo breach in terms of size and scale, probably won’t change the behavior of the vast majority of their customers — much as we all might want a just desserts for a system failure that is said to have continued for four years before it was detected.
It will be the banks’ and the networks’ investments and diligence that will keep maintain consumers’ confidence in using their credentials to book rooms at Marriott properties and everywhere else they want to use them.
It’s their sure thing.
And therein lies the dilemma facing the payments ecosystem today.
Absent the Target breach and the decision by payment networks to shift liability to merchants that didn’t step up, it is unlikely that merchants would have proactively and aggressively made an investment in upgrading their point-of-sale systems to protect their customers from counterfeit card compromise. Yet they did, and fraud at the point of sale has dropped dramatically — some 75 percent over the course of the last three years.
Now fraudsters, undaunted, have moved online, which is where payments volume is moving, too. The tactics these cybercrooks use to outsmart merchants and the consumers who shop them have become increasingly sophisticated.
And, unfortunately, as the ongoing string of breaches shows us, most recently the Marriott breach, merchant efforts to shut down fraud continue to lag behind the advances in technology capable of detecting and stopping it.
For consumers, when it comes to shopping and buying online, their sure thing is knowing that they’re more than likely to escape harm, even if their credentials have been sold to the highest bidder on the Dark Web in an attempt to commit fraud at their expense.
For merchants, that’s great news, since consumers keep spending even if merchant systems keep getting compromised.
If past is prologue, then, perhaps the only other sure thing is the need for the entire payments ecosystem — the payments networks, payments services providers and banks — to keep the pressure on merchants to increase the safeguards on their systems and keep consumer data out of the hands of the bad guys.