View original document

The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.

No. 16-1

Did the Target Data Breach Change Consumer Assessments
of Payment Card Security?
Claire Greene and Joanna Stavins
Abstract:
Previous research has found that perceptions of payment security affect consumers’ use of
payment instruments. We test whether the Target data breach in 2013 was associated with a
change in consumers’ perceptions of the security of credit cards and debit cards and with
subsequent changes in consumers’ use of payment cards. Using data from the Survey of
Consumer Payment Choice (SCPC), we find that, controlling for possible confounding effects
of demographic differences between the two groups, ratings by consumers who assessed the
security of personal information of debit cards shortly after the breach were lower than ratings
by consumers who responded before the breach was reported. On average, the rating on the
security of personal information of debit cards relative to the rating on the security of other
payment instruments was 11.3 percent lower shortly after the Target breach. Based on prior
research on the impact of security assessments on payment instrument use, we would expect a
small (economically insignificant) decline in debit card use from this lower rating. However,
we find no statistically or economically significant change in debit card use from 2013 to 2014.
For credit cards, there was no difference in the ratings given by consumers who responded to
the survey before the breach was reported and the ratings of those who responded after the
breach was reported.
Keywords: data breach, payment card security, Survey of Consumer Payment Choice, Target,
debit card, credit card
JEL Classifications: D14, D18
Claire Greene and Joanna Stavins are members of the Consumer Payments Research Center in the research
department of the Federal Reserve Bank of Boston. Claire Greene is a payments analyst. Joanna Stavins is a senior
and
economist
and
policy
advisor.
Their
e-mail
addresses
are
claire.m.greene@bos.frb.org
joanna.stavins@bos.frb.org. The authors thank Allison Cole, Kevin Foster, Huijia Wu, and David Zhang for excellent
analytical assistance. This paper, which may be revised, is available on the web site of the Federal Reserve Bank of
Boston at http://www.bostonfed.org/economic/rdr/index.htm.

Scott Schuh and Suzanne Lorant provided helpful comments. The authors are responsible for any errors.
The views expressed in this paper are those of the authors and do not necessarily represent the views of the Federal
Reserve Bank of Boston or the Federal Reserve System.
This version: August 2016

1

I.

Introduction
On December 19, 2013, Target Corporation announced that hackers may have gained

access to payment card data for 40 million credit and debit card accounts used in its stores in
the 19 days between November 27 and December 15, 2013. The breach was widely reported,
beginning on the evening of December 18. 1 The announcement of the Target breach in late 2013
provides an opportunity to test whether news about payment security breaches changes the
way consumers assess and use payment instruments.
Security of payments has long been identified as an important aspect of the consumer
payment experience and is receiving renewed attention in the wake of highly publicized
cybercrimes. On January 26, 2015, following an intensive, 18-month research effort, the Federal
Reserve released a plan entitled, “Strategies for Improving the U.S. Payment System,”
identifying security improvements as one of its top initiatives. 2 In identifying factors that could
affect the end-to-end implementation of security processes, tools, and technologies, the plan
notes that “[d]ifferent end-users may balance differently the tradeoff of security against cost
and convenience of the payment experience, resulting in inconsistent adoption of security
standards and technology.” One aspect of this tradeoff involves consumers’ perceptions of the
security of payment instruments. In almost every annual Survey of Consumer Payment Choice
to date, consumers have selected security as the most important aspect of payments, above cost,
convenience, and other attributes.
Perceptions have been found to affect payment behavior. Using an econometric model of
consumers’ adoption and use of payment instruments, Schuh and Stavins (2015b) have found
that enhanced security of payment cards is likely to increase the use of credit and debit cards,

For example, http://money.cnn.com/2013/12/18/news/companies/target-credit-card/. A Lexis/Nexis search of print
media on the term “Target” within the same paragraph as “data breach” resulted in one article on December 17, 2013,
six articles on December 18, 2013, 118 articles on December 19, 2013, 141 articles on December 20, 2013, and 41
articles on December 21, 2013.
2 https://fedpaymentsimprovement.org/
1

2

although the effect is small. 3 Similarly, if consumers’ assessment of payment card security were
to decrease dramatically, one might expect the use of credit and debit cards to decrease. Of
course, these assessments, reflecting consumers’ perceptions of security—or of other attributes
of payment instruments—can shift even without any underlying changes in the real probability
of fraud or theft. Notable external events, such as a widely publicized data breach, could shift
consumers’ perceptions. To gain insight into whether an event of this type could cause a
dramatic shift in perceptions, it is important to understand the strength of the impact of a data
breach on consumers’ assessment and use of payment instruments. Understanding consumers’
short-term response to the 2013 Target breach may be a first step toward understanding the
longer-term effects of security breaches on consumers’ perceptions of the security of various
payment instruments.
At the time the Target data breach was announced, the Consumer Payments Research
Center (CPRC) at the Federal Reserve Bank of Boston was surveying U.S. consumers about
which aspects of payment instrument security were most important to them and how they rated
those aspects for different payment instruments. This survey, conducted as a supplement to the
2013 Survey of Consumer Payment Choice (SCPC), was in the field when the breach was
announced, so some respondents answered questions about payment instrument security
before the breach was public knowledge, and other respondents answered shortly after the
breach was widely known and was receiving extensive attention in the media. This created a
natural experiment that made it possible to ask questions that may shed light on the short-term
effect of news about data breaches on consumers’ perceptions. (The supplementary survey did
not ask whether or not respondents had been directly affected by the breach or even whether
they knew about it.)
This Research Data Report addresses the following questions:

Schuh and Stavins (2010, 2013) and Koulayev et al. (2016) also find that consumers’ perceptions of the security of
payment instruments affect their payment use.

3

3

•

In the short term, did consumers who answered after the breach was announced (Group 2)
rate payment instrument security differently from consumers who answered before the
breach (Group 1)?

•

In prior responses on earlier surveys, did respondents who later constituted Group 1 rate
the security of payment instruments differently from those who later constituted Group 2?

•

Are there demographic differences between the two groups that could be correlated with
their ratings of payment instrument security?

•

In the longer run, did consumers’ ratings and use of payment instruments change between
the fall of 2013 (before the breach) and the fall of 2014?
We find evidence that, in the short run, ratings of the security of debit cards in

safeguarding personal information 4 (PI) by consumers who responded immediately after
announcement of the Target breach were significantly worse than such ratings by consumers
who responded before the breach was widely known. On average, the rating of the security of
personal information when using debit cards relative to the rating of the security of personal
information when using other payment instruments was 11.3 percent lower after the breach was
announced. However, there is no direct evidence that the decline was caused by announcement
of the breach or that the different ratings were later reflected in long-lasting differences in
payment card use. We found no statistically significant change in the adoption or shares of
payment instrument use of debit cards in the long run, from 2013 to 2014.
The remainder of this report is organized as follows: Section II describes the data used in
the analysis. Section III reports consumers’ absolute and relative ratings 5 of the security of
personal information of three payment instruments in the short run, conditional on whether the
consumers responded before or after the announcement of the Target breach. Section IV reports
absolute and relative ratings for overall security in the 2013 SCPC to examine whether there
were any differences between the two groups’ ratings even before the breach was announced,

Personal information includes name, address, telephone number, Social Security number, date and place of birth,
mother’s maiden name, etc.
5 Relative ratings are consumers’ ratings of an instrument based on one or more criteria relative to consumers’ ratings
of all the other payment instruments on the same criterion or criteria.
4

4

for example, possible unobserved differences in attitudes that could be an element of the preand post-announcement results. Section V compares the demographic characteristics of Groups
1 and 2 to examine whether or not these characteristics might be related to differences in the
ratings. Section VI uses 2013 and 2014 survey data to test whether there were any longer-term
changes in payment choice after the Target breach announcement. Section VII concludes.

II.

Data
This analysis uses data from three iterations of the Survey of Consumer Payment Choice

(SCPC), a representative sample of U.S. consumers, age 18 years and older. The SCPC is
developed by the CPRC and was administered annually from 2008 to 2014 through the RAND
Corporation’s American Life Panel (ALP) to a sample of the adult U.S. population. The survey
includes individual-level data on payment choice in the United States, including data on
adoption and use of nine common payment instruments, adoption and use of several types of
deposit and payment accounts (checking, savings, PayPal, etc.), assessment of payment
characteristics, and payment history (credit rating, revolving on credit, overdraft, foreclosure,
and bankruptcy). A detailed description of the data and survey methodology, together with a
summary of aggregate changes in U.S. payments by consumers, is available in Foster et al.
(2009, 2011), Foster, Schuh, and Zhang (2013), and Schuh and Stavins (2014, 2015a).
The first iteration of the SCPC used in this report, the 2013 SCPC, is the sixth in a series
of annual surveys fielded primarily in October of each year. In the fall of 2013, a sample of U.S.
adults answered questions about their assessment, ownership, and use of nine payment
instruments as part of the 2013 SCPC. All respondents to the 2013 SCPC completed the survey
before the announcement of the Target data breach. The 1,908 respondents to the 2013 SCPC
were asked to rate overall payment instrument security from “very risky” to “very secure” on a
scale of 1-to-5, where 1 is “very risky.”6 In general, a lower rating of a particular payment
method means that a consumer considered that payment method to be inferior with respect to
overall security. This overall security question, encompassing both “permanent financial loss”
Omitted from this report are an additional 181 SCPC respondents who answered later or did not respond to the
supplementary survey.
6

5

and “unwanted disclosure of personal information,” incorporates many concepts of security.
These concepts include the idea that a consumer does not want to lose money or have it stolen,
that a consumer needs to have protection of personal information, such as a Social Security
number, and that passwords and account information should be kept safe.
The second iteration used in this report is a supplementary survey to the SCPC that was
in the field from early November 2013 through March 2014—coincidentally, at the time of the
announcement of the Target data breach. The same 1,908 U.S. adults who had completed the
2013 SCPC were asked to report in more detail their assessments of specific aspects of payment
instrument security. Most respondents to the supplementary survey provided their security
assessments before the breach had become public knowledge (1,808 respondents). We refer to
them as Group 1. One hundred of the respondents, however, provided assessments after the
breach was public knowledge (Figure A.1). We refer to these respondents as Group 2. This
divided sample created a natural experiment for investigating whether or not the group of
consumers who responded before announcement of the breach assessed payment instrument
security differently from the group who responded after. 7
The supplementary SCPC was designed to gain insight into various aspects of security
in order to contribute to the Federal Reserve’s financial services payment system improvement
project. In the supplementary survey, the concept of security is divided into three components,
with a focus on separating financial security from privacy. The former concept involves a risk of
losing money, while the latter involves the risk of having one’s personal information obtained
by others without one’s consent. The supplementary SCPC also asked about confidentiality of
information about the transaction itself.
Figure A.1 in Appendix A matches the timeline of data collection to the news
announcement of the Target breach, using Google searches on the term “Target data breach” as

If, instead of making use of a natural experiment, one were designing an experiment along these lines, it would be
optimal to split the sample 50/50. But with this natural experiment resulting in lopsided sample sizes, the confidence
intervals for group differences are larger than they would be with a balanced sample.

7

6

a proxy for consumer awareness of the breach.8 Table A.1, also in Appendix A, summarizes the
survey questions.
The third iteration used in this report is the 2014 SCPC, in the field 10 months after the
Target breach was reported. In the fall of 2014, U.S. consumers again answered questions about
overall payment instrument security and their adoption and use of nine payment instruments.
Some consumers responded to all three iterations. Forty-nine (49) members of Group 2 and
1,339 members of Group 1 completed the 2014 SCPC. With so few Group 2 respondents
completing all three iterations, all analysis of the 2014 SCPC reported here relies on the sample
of 1,388 respondents who completed all three surveys.

III.

Do Ratings of the Before and After Groups Differ in the Short
Term?

Absolute ratings
Did Group 2, responding to the survey supplement after the breach, rate payment cards
more poorly than Group 1, responding to the supplement before the breach? We use cash as a
control against which to examine consumers’ ratings of cards, because the Target breach should
not have affected consumers’ perceived security of using cash. Almost three-quarters of each
group rated cash as secure or very secure for security of personal information (Figure 1).
Before and after the breach announcement, ratings of the security of cash were about the same.
Group 1 (responding before the breach announcement) rated credit card security for
personal information higher than Group 2 (responding after) did. Thirty-five percent of Group 1
and 24 percent of Group 2 rated personal information as secure or very secure with credit
cards. 9 Ratings of debit card security for personal information by consumers in Group 1 also
were more favorable than those by consumers in Group 2 (responding after the breach). 10
Thirty-seven (37 percent) of consumer in Group 1 said personal information was secure or very

The Google search intensity measure is an index, based on the number of searches at various points in time. “100”
indicates the maximum number of searches in a particular time period. The source is Google Trends. In this case, the
searches were for “Target data breach.”
9 Statistically significant at the 10 percent level.
10 Statistically significant at the 5 percent level.
8

7

secure with debit cards, compared with just 23 percent of consumers in Group 2. Fewer than 40
percent of consumers in Group 1 said personal information was at risk (“risky”) or very much
at risk (“very risky”) with debit cards, compared with almost 50 percent of consumers in Group
2 (Appendix B).

72

71

35

PII Group 2 (after breach
announced)
24

Cash

PII Group 1 (before breach
announced)

37

Credit cards

23

Debit cards

Source: 2013 SCPC, Federal Reserve Bank of Boston.

Figure 1: Percentage of consumers rating security of personal information “secure” or
“very secure.”

8

There was no statistically significant difference between the two groups’ ratings of other
aspects of payment instrument security, that is, security of financial wealth and the
confidentiality of the transaction. See Appendix B for the percentage of respondents reporting
positive (secure or very secure) and negative (risky or very risky) ratings for each of the three
aspects of security studied (personal information, financial wealth, confidentiality).
Relative ratings
Relative ratings of payment instruments (in the sense of ratings of a payment instrument
relative to the ratings of other payment instruments) have been shown to be important for
payment instrument adoption and use. Schuh and Stavins (2010, 2013) and Koulayev et al.
(2016) have found that consumer payment behavior is strongly correlated with relative
characteristics, that is, a consumer’s average rating of a given payment method relative to his or
her ratings of all the other payment methods. 11 Using relative ratings makes it possible to
correct for each individual’s assessment. For example, two respondents might rate debit cards
as somewhat insecure, or “2.” But that rating has a different meaning if one of those
respondents rates security of cash and credit cards as “4” and the other respondent rates the
security of cash and credit cards as “1.” The first respondent considers debit cards to be less
secure than other payment methods, while the second respondent considers debit cards to be
more secure than other payment methods. We expect that consumers’ behavior is more likely to
be correlated with such relative assessments than with the absolute assessments.
Figure 2 shows ratings of Group 1 and Group 2 of particular payment instruments
relative to these groups’ ratings of all the other payment instruments. Note that the relative
rating can be positive (if the payment method is considered superior to other payments) or
negative (if the payment method is considered inferior to other payments). A rating at the
baseline in Figure 2 means that—on average—respondents to the supplementary survey rate
the payment instrument the same as the other instruments (in each case, six of seven payment

Appendix C shows how the relative characteristic ratings were constructed. In addition to security, other
characteristics in the 2013 SCPC were acceptance, setup, convenience, cost, and record keeping.
11

9

instruments 12 were used to construct the average). Bars below the baseline indicate that
consumers rate the instrument as less secure than other payment instruments. Bars above the
baseline indicate that respondents rate the instrument more positively than other payment
instruments. For example, the first set of bars on the left in Figure 2 shows that both Group 1
and Group 2 rated cash as highly secure for safety of personal information compared with
check, debit, credit, prepaid, OBBP, and BANP. 13
0.4
0.35
0.3
0.25
0.2
PII Group 1 (before breach
announced)

0.15

PII Group 2 (after breach
announced)

0.1
0.05
0
-0.05

Cash

Credit cards

Debit cards

-0.1
-0.15
Source: 2013 SCPC, Federal Reserve Bank of Boston, and authors’ analysis.
Note: Relative ratings are the average of the natural logarithmic ratios of each payment method versus other payment
methods. The values can range from approximately -1.6 to +1.6.

Figure 2: Ratings of security of personal information, relative to rating of other
payment instruments.
The seven payment instruments are cash; check; debit, credit, and prepaid cards; online banking bill pay (OBBP);
and bank account number payment (BANP).
13 Relative ratings are the average of the natural logarithmic ratios of each payment method versus the other payment
methods. The values can range from approximately -1.6 to +1.6.
12

10

Relative to other payment instruments, Group 1 (before the breach announcement) and
Group 2 (after the breach announcement) both rated the security of personal information with
credit cards as inferior to average of the ratings for personal information security of all the other
payment instruments studied. This seems odd intuitively because one might expect that
consumers whose awareness of card hacking had been heightened by news of the breach would
rate the security of both credits and debit cards as relatively worse than other consumers would.
However, the difference between Group 1 and Group 2 in the relative ratings of credit cards’
personal information security is not statistically significant, and the explanation for the failure
of the announcement to significantly affect these ratings may well be that even before the
announcement consumers took a dim view of the security of personal information with credit
cards.
In contrast, the ratings by the pre-announcement group (Group 1) and the postannouncement group (Group 2) of the security of their personal information with debit cards
relative to the security of their personal information with other payment instruments diverged
significantly [circled bars in Figure 2]. For debit cards, consumers in Group 1 had a neutral
view. Consumers in Group 2 had a significantly more negative view of the security of personal
information with debit cards compared with consumers in Group 1. Knowledge of differences
in consumer liability may have been a factor in the differences in the credit card and debit card
ratings. It is possible that consumers with increased awareness of hacking also had increased
awareness of the consumer protections mandated for credit cards. 14

IV.

Might Differences in Ratings Be Related to Prior Differences
between the Groups?

Because this is a natural experiment, it is possible that differences between the two
groups—either demographic differences or attitudinal differences or some other difference(s)

Under the Fair Credit Billing Act (FCBA), a consumer’s liability for unauthorized use of a credit card is limited to
$50 in most instances. The Electronic Funds Transfer Act (EFTA) limits liability for fraudulent charges or transfers.
https://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-and-debit-cards. To limit their liability for debit
cards to $50, consumers must report unauthorized transactions within two business days. After two days, liability
increases to $500; after 60 days liability is unlimited.
14

11

that we cannot measure—underlie their ratings. Therefore, we cannot look only at the responses
of Group 1 and Group 2 to the supplementary security survey. In addition, we need to compare
the responses of the members of Group 1 and Group 2 to the 2013 SCPC, to see whether any
differences in assessments could be due to the fact that the two groups had already rated
payment instruments differently prior to announcement of the Target breach. Members of both
Group 1 and Group 2 took the 2013 SCPC (but not the supplementary survey in the case of
Group 2) before the Target breach was announced. We use ratings by both groups before the
announcement as a control to examine whether or not the post-breach differences are somehow
related to the prior opinions of their members. (We explore demographic differences later.)
Absolute ratings
Again, we use cash as a control to examine ratings of payment cards. In the 2013 SCPC,
respondents who later constituted Group 1 rated cash the same as respondents did who later
constituted Group 2: thirty-seven percent rated cash as secure or very secure. As noted above,
the two groups also rated cash as about the same for security of personal information in the
supplementary SCPC as in the 2013 SCPC (Figure 3). As far as cash ratings are concerned, these
two groups responded the same way.
With regard to credit cards, even before the breach was announced, Group 1 rated the
overall security of credit cards higher than Group 2 did, as Figure 3 shows: 54 percent of Group
1 rated the overall security of credit cards as secure or very secure compared with 41 percent of
Group 2. 15 In the supplementary SCPC, Group 1 rated credit card security for personal
information more secure than Group 2 did. Thirty-five percent of Group 1 and 24 percent of
Group 2 rated personal information as secure or very secure. 16 Given that differences in ratings
between the two groups were already present in the SCPC, there is no evidence that the Target
breach affected ratings of the security of personal information of credit cards.

15
16

Statistically significant at the 5 percent level.
Statistically significant at the 10 percent level.

12

72 71

Overall security Group 1
(before breach
announced, 2013 SCPC)

54
49
41
37 37

Overall security Group 2
(before breach
announced, 2013 SCPC)

43
37

35

24

23

PII Group 1 (before
breach announced,
supplement)
PII Group 2 (after breach
announced, supplement)

Cash

Credit cards

Debit cards

Source: 2013 SCPC, Federal Reserve Bank of Boston, and 2013 SCPC Supplementary Survey.

Figure 3: Percentage of consumers rating security of personal information “secure” or
“very secure” compared with prior ratings of overall security.

In the 2013 SCPC, the two groups rated overall security of debit cards about the same (Figure 3).
You can see in Figure 3 that the two groups’ 2013 SCPC ratings of debit cards differ less than
their 2013 SCPC ratings of credit cards. The difference in the debit card ratings in the 2013 SCPC
(49 percent secure or very secure by Group 1 and 43 percent by Group 2) is not statistically
significant. As noted above, in the supplementary SCPC, ratings of debit card security for
personal information by consumers in Group 2 (responding after the announcement of the
breach) were less favorable than those by consumers in Group 1. 17 Thirty-seven percent of
consumers in Group 1 said that personal information was secure or very secure with debit
17

Statistically significant at the 5 percent level.

13

cards. Just 23 percent of consumers in Group 2 said that personal information was secure or
very secure with debit cards. These differences are statistically significant.
Relative Ratings
The relative ratings shown in Figure 4 indicate that Group 2 ratings of the overall
security of credit cards were worse than the ratings of Group 1. 18 These overall ratings were
provided before the Target breach was announced. This agrees with the finding that consumers
in Group 2 were significantly less likely to rate overall security of credit cards as secure or very
secure than consumers in Group 1. Regarding the security of personal information aspect of
overall security, both Group 1 (before the breach announcement) and Group 2 (after the
announcement) rated the security of personal information with credit cards as inferior to the
alternatives. 19
Consumers in the two groups (both responding before the breach became public) rated
the relative overall security of debit cards about the same in the main 2013 SCPC. However,
there is a significant divergence between ratings of the pre-announcement group (Group 1) and
the post-announcement group (Group 2) of the security of their personal information with debit
cards relative to the security of their personal information with other payment instruments
[circled bars in Figure 4]. This finding suggests that for debit cards, the differences between the
two groups in their ratings of the security of personal information for debit cards may have
been related to the Target breach announcement.

Statistically significant at the 10 percent level. These ratings are from the 2013 SCPC, not the supplementary survey.
Note that the groups were defined later, based on when respondents replied to the supplementary survey.
19 These ratings are from the supplementary survey.
18

14

0.4

0.3

0.2
Overall security Group 1 (before
breach announced, 2013 SCPC)

0.1

Overall security Group 2 (before
breach announced, 2013 SCPC)

0

-0.1

Cash

Credit cards

Debit cards

PII Group 1 (before breach
announced, supplement)
PII Group 2 (after breach
announced, supplement)

-0.2

-0.3

-0.4
Source: 2013 SCPC, Federal Reserve Bank of Boston, authors’ analysis.
Note: Relative ratings are the average of the natural logarithmic ratios of each payment method versus other payment
methods. The values can range from approximately -1.6 to +1.6.

Figure 4: Relative ratings of security of personal information vs. prior relative ratings
of overall security.

V.

Demographic Characteristics vs. Timing: Effect on Assessments
To enable better estimates of payments assessments and behavior of the entire

population of U.S. consumers, SCPC respondents were assigned survey weights designed to
align the composition of the SCPC sample with that of the Current Population Survey, to the
extent possible. 20 This follows common practice in other social science surveys.21 The entire

http://www.census.gov/programs-surveys/cps.html
For a detailed discussion of 2013 SCPC post-stratification weighting, see Angrisani, Foster, and Hitczenko (2015,
2016 [forthcoming]).
20
21

15

SCPC sample was used for weighting, not the two subsamples discussed here (Group 1 and
Group 2). Therefore, the demographics of Group 1 and Group 2 do not match. Demographic
differences between Group 1 and Group 2 may be a factor in their different ratings. Compared
with Group 1, respondents in Group 2 are more likely to be younger than 44, nonwhite, Latino,
and employed (Table 1).
Group 1
Age 25–44 34%
Nonwhite 22%
Latino
16%
Employed 62%

Group 2
66%
32%
23%
76%

Current Population Survey
34%
21%
15%
60%

Source: 2013 SCPC, Federal Reserve Bank of Boston.
Note: The entire SCPC sample, not the two subsamples discussed here (Group 1 and Group 2), was used for
weighting. Differences between Groups 1 and 2 listed in this table are statistically significant.

Table 1: Comparison of sample, 2013 SCPC Groups 1 and 2 with Current Population
Survey.
Absolute Relative
Credit card ratings
Entire sample (Groups 1 and 2)
Age 25–44
Nonwhite
Latino
Employed
Debit card ratings
Entire sample (Groups 1 and 2)
Age 25–44
Nonwhite
Latino
Employed

2.87
2.88
2.78*
2.85
2.90

-.05
-.03**
-.05
-.08
-.04**

2.93
2.91
2.90
3.00
2.94

-.01
.02**
.01
.01
.00*

Source: 2013 SCPC, Federal Reserve Bank of Boston, authors’ analysis.
Note: Asterisks indicate that ratings of the identified group are statistically different from ratings of those outside the
group. For example, relative ratings of consumers aged 25–44 are different from relative ratings of consumers
younger than 25 or older than 44. * p < 0.10, ** p < 0.05

Table 2: Comparison of ratings of PII security, demographic subgroups versus whole
sample, 2013 SCPC.

16

In some cases, members of these subgroups that are overrepresented in Group 2 rated
security of personal information differently than respondents outside these subgroups, and the
differences are statistically significant. Looking at relative ratings, respondents aged 25 to 44
rated the security of personal information of both credit cards and debit cards more positively
than respondents aged 18 to 24 and 45 and older. People who were employed rated the security
of personal information of both credit cards and debit cards as more positive than did those
with a different employment status. For absolute ratings, nonwhites rated the personal
information security of credit cards significantly worse than whites did (Table 2).
To investigate whether these demographic differences between Group 1 and Group 2
affected the discrepancy in their security ratings, we conducted a regression analysis. For
example, we investigated whether being between the ages of 25 and 44 was associated with
rating the relative security of personal information of debit cards as inferior. If that were the
case, it might mean that the demographic composition of Group 2—and not anything to do with
the timing of Group 2’s response to the supplementary security survey—was associated with
the lower security rating. Demographic variables included in the analysis were age, gender,
race, ethnicity, education, marital status, nationality, income, employment, geographic region,
financial responsibility, household size, home ownership, and bankruptcy history (Appendix D,
part 1). 22
In fact, however, we found that even after controlling for all the demographic factors,
Group 2 members (subjects who responded after the Target breach was announced) rated the
security of debit cards significantly lower than Group 1 members did. On average, the relative
rating on the security of personal information of debit cards was 11.3 percent lower by Group 2
than the rating by Group 1 (Table 3). There was no statistically significant effect of membership
in Group 2 versus membership in Group 1 on overall ratings of debit cards (Table 3), so Group 2
did not hold a generally more negative view of overall debit card security before the breach
than Group 1 did. Being a member of Group 2 also had no statistically significant effect on the
Financial responsibility encompasses questions about responsibility for paying monthly bills, shopping, and
making decisions about savings and investments. Financial distress includes questions about filing for bankruptcy
protection in last 12 months and last seven years.
22

17

rating of the security of personal information for credit cards or on the security of financial
wealth for credit or debit cards. Although we controlled for the effects of several observed
characteristics of individual respondents, other unobserved differences of consumers in Group
2 compared with Group 1 might have influenced their perceptions and relative security ratings.
Percentage effect of Group 2 membership:
Relative rating of overall security
Relative rating of the security of personal
information
Relative rating of the security of financial wealth

Debit Cards
-2.0

Credit Cards
-7.1*

-11.3***
1.2

-4.2
1.7

Source: 2013 SCPC, Federal Reserve Bank of Boston.
Note: Coefficient estimates of the effect of being in Group 2 on relative security ratings (OLS regression). The
coefficients are shown in percentage points, indicating the average percentage difference between Group 1 and
Group 2 ratings of the corresponding payment instrument relative to other instruments. For example, the number
−11.3 means that on average Group 2 rates the security of personal information for debit cards as 11.3 percent lower
than Group 1 does (both relative to other payment methods). * p < 0.10, ** p < 0.05, *** p < 0.01 See Appendix E for full
regression results.

Table 3: Regression of Security Assessments on Being a Member of Group 2.
To test the strength of this connection between being a member of Group 2 and the
relative rating of security of personal information of debit cards, an ordered probit regression
analysis was performed to see whether being a member of Group 2 could predict the absolute
security rating (Appendix D, Part 2). Group 2 membership predicts a more negative rating for
the absolute security rating of debit card personal information, although the connection is
somewhat less statistically significant than for the relative rating. (As noted above, relative
ratings have been shown to be important to the choice of which payment instrument to use.)
For absolute ratings for the security of financial wealth, there was no statistically significant
effect of Group 2 membership on the ratings of credit or debit cards (as was found above for
relative ratings).
Some Group 2 respondents took the supplementary survey immediately after the Target
breach was announced; 30 Group 2 respondents took the survey in the two weeks between
December 19, 2013 and January 1, 2014. Others took it weeks after the announcement: 29 within
two to four weeks and 41 after more than four weeks. However, controlling for the number of

18

days elapsed between the breach announcement and the day when the respondents took the
survey did not alter our relative ratings results . 23

VI.

Long-Term Responses to Security Breaches

The SCPC is an annual survey, so the next opportunity to measure security assessments
of payment instruments and payment instrument use occurred 10 months after the Target
breach occurred. Compared with the 2013 full sample, the 2014 full sample (cited results not
shown) showed a decline in both the relative and absolute security ratings of debit cards, 24 an
increase in the absolute security ratings of cash, 25 and no statistically significant change in the
security ratings of credit cards. Also, the 2014 SCPC full sample showed no statistically
significant differences in the number of payments by cash, credit card, or debit card or in the
shares of use of these payment instruments. Debit cards remained the most popular payment
instrument among consumers in 2014, accounting for 30.8 percent of their monthly payments
(compared with 31.1 percent in 2013, a statistically insignificant difference).
Looking at respondents who completed both the 2013 SCPC and the 2014 SCPC (some of
whom did not complete the supplementary security survey in 2013), there was a statistically
significant decline in both their relative and absolute security ratings of debit cards from 2013 to
2014. 26 Absolute ratings declined from 3.14 to 3.02. For comparison, absolute ratings of credit
cards declined from 3.31 to 3.27. Relative ratings declined from 0.07 to 0.01. (For comparison,
relative ratings of credit cards declined from 0.13 to 0.11 over the same time period.) Also, for

When the number of days was included in the model, it had no significant effect on the security rating, and the
effect of being in Group 2 remained unchanged. Both direct and interaction effects were included. We also separated
Group 2 respondents who answered the survey within two weeks after the Target breach from those who answered
two to four weeks after the breach and those whose who answered later than four weeks after the breach. None of
these specifications affected the main result: a significant difference between Group 1 and Group 2 in the relative
rating of the security of personal information of debit cards. In addition, if we truncate the entire sample to those who
answered the supplementary survey within four weeks of the breach (before and after), we still found a significant
difference between Group 1 and 2.
24 Statistically significant at the 1 percent level for both absolute and relative ratings.
25 Statistically significant at the 5 percent level.
26 Statistically significant at the 1 percent level.
23

19

this panel, there was no statistically significant change in their shares of use of debit cards,
credit cards, or cash from 2013 to 2014. 27
Schuh and Stavins (2015b) modelled the effect on debit card use of consumers’
assessments of the security of personal information. Based on their estimate of the
responsiveness of debit card use to a change in the assessment of the security of personal
information, a 10 percent increase in rating would result in an increase in debit card share of
0.02 percentage points. So an 11.3 percent decline in rating would result in a decrease in debit
card share of 0.022 percentage points. A 0.022 percentage point decline in share from 2013 to
2014 would not be statistically or economically significant. Therefore, it is not surprising that we
do not observe a statistically or economically significant change in use from 2013 to 2014.
This lack of long-term behavior change aligns with work by Kosse (2013), which found
that while reports of skimming depress debit card use in the Netherlands, “the effect only lasts
for one day, with consumers reverting back to their normal payment behavior almost
immediately.” Also, Mikhed and Vogan (2015) found that, while consumers respond to their
own exposure to a breach, exposure to news about data breaches does not correlate with a
consumer response.

VII. Conclusion
As demonstrated by a regression controlling for demographic and income differences,
ratings of debit cards’ relative security of personal information by consumers responding
shortly after the Target breach were inferior to such ratings by consumers who responded
before the breach. On average, the relative rating of the security of personal information of debit
cards was 11.3 percent lower shortly after the Target breach. However, comparing 2014 debit
card use with 2013 use, we find no significant change in debit card use from 2013 to 2014.
Therefore, while the security ratings and survey completion times (pre- or post-breach) are
Narrowing this group further to only respondents who completed all three iterations of the SCPC analyzed here
(2013, supplementary security survey, and 2014), there were no statistically significant changes in the adoption of
debit cards and credit cards from 2013 to 2014 by either Group 1 or Group 2. In addition, there were no statistically
significant changes in shares of use by members of either Group 1 or Group 2. Only 49 members of Group 2
completed the 2014 SCPC; this small sample size makes statistical analysis difficult.
27

20

correlated, we find no evidence that the Target breach announcement caused any long-term
effects on changes in payment behavior.

References
Angrisani, Marco, Kevin Foster, and Marcin Hitczenko. 2015. “The 2013 Survey of Consumer
Payment Choice: Technical Appendix.” Federal Reserve Bank of Boston Research Data
Report No. 15-5.
Angrisani, Marco, Kevin Foster, and Marcin Hitczenko. forthcoming. “The 2014 Survey of
Consumer Payment Choice: Technical Appendix.” Federal Reserve Bank of Boston
Research Data Report
Foster, Kevin, Erik Meijer, Scott Schuh, and Michael A. Zabek. 2009. “The 2008 Survey of
Consumer Payment Choice.” Federal Reserve Bank of Boston Public Policy Discussion
Paper 09-10.
Foster, Kevin, Erik Meijer, Scott Schuh, and Michael A. Zabek. 2011. “The 2009 Survey of
Consumer Payment Choice.” Federal Reserve Bank of Boston Public Policy Discussion
Paper 11-1.
Foster, Kevin, Scott Schuh, and Hanbing Zhang. 2013. “The 2010 Survey of Consumer Payment
Choice.” Federal Reserve Bank of Boston Research Data Report 13-2.
Kosse, Anneke. 2013. “Do Newspaper Articles on Card Fraud Affect Debit Card Usage?” Journal
of Banking and Finance 37 (12): 5382–5391.
Koulayev, Sergei, Marc Rysman, Scott Schuh, and Joanna Stavins. 2016. “Explaining Adoption
and Use of Payment Instruments by U.S. Consumers.” RAND Journal of Economics 47 (2),
Summer: 293–325.
Mikhed, Vyacheslav, and Michael Vogan. 2015. “Out of Sight, Out of Mind: Consumer Reaction
to News on Data Breaches and Identity Theft.” Federal Reserve Bank of Philadelphia
Working Paper 15-42.
Schuh, Scott, and Joanna Stavins. 2010. “Why Are (Some) Consumers (Still) Writing Paper
Checks?” Journal of Banking and Finance 34(8): 1745–1758.
Schuh, Scott, and Joanna Stavins (2013). “How Consumers Pay: Adoption and Use of
Payments.” Accounting and Finance Research 2(2): 1–21.
Schuh, Scott, and Joanna Stavins. 2014. “The 2011 and 2012 Surveys of Consumer Payment
Choice.” Federal Reserve Bank of Boston Research Data Report 14-1.
Schuh, Scott, and Joanna Stavins. 2015a. “The 2013 Survey of Consumer Payment Choice.”
Federal Reserve Bank of Boston Research Data Report 15-4.

21

Schuh, Scott, and Stavins, Joanna. 2015b. “How Do Speed and Security Influence Consumers'
Payment Behavior?” Contemporary Economic Policy doi: 10.1111/coep.12163.

22

Appendix A. Data Collection Timeline and Security Questions

Source: Federal Reserve Bank of Boston, Google Trends.
Note: 100 equals most intense search activity on “Target data breach.” The spike in searches occurred almost
instantaneously following announcement of the breach; software limitations cause it to appear on the figure to have
begun slightly in advance of the announcement.

Figure A.1: Timeline of data collection in relation to announcement of Target data
breach.

23

2013 SCPC

Administered 9/27/2013–12/10/2013

Overall security
Suppose a payment method has been
stolen, misused, or accessed without the
owner’s permission. Please rate the
SECURITY of each method against
permanent financial loss or unwanted
disclosure of personal information.

SCPC supplementary security survey
Administered 11/6/2013–3/10/2014

Security of personally identifiable information
Suppose a payment method has been stolen, misused, or
accessed without the owner’s permission. Please rate the
security of each method against unwanted disclosure of
personal information such as name, address, telephone
number, Social Security number, date and place of birth,
mother’s maiden name, etc.
Security of financial wealth
Suppose a payment method has been stolen, misused, or
accessed without the owner’s permission. Please rate the
security of each method against permanent financial loss to
the owner of the payment method.
Security of information about of payment transactions
Suppose a payment method has been stolen, misused, or
accessed without the owner’s permission. Please rate the
security of the confidentiality of each method against
others’ finding out what products were purchased, how
much was paid, or where the products were bought.

Source: Federal Reserve Bank of Boston.
Note: Survey respondents were asked to rate each of the characteristics on an absolute scale of 1 to 5 for each payment
instrument, where 1 was the least desirable (least secure) and 5 was the most desirable (most secure).

Table A.1: Security questions in the 2013 SCPC and supplementary survey.

24

Appendix B. Detailed Security Assessments, Supplementary SCPC
Secure or very
secure
Personally identifiable information
Cash
Group 1
72.0
Group 2
71.1
Credit card
Group 1
34.9
Group 2
23.7*
Debit card
Group 1
37.1
Group 2
22.9**
Wealth
Cash
Group 1
Group 2
Credit card
Group 1
Group 2
Debit card
Group 1
Group 2
Confidentiality
Cash
Group 1
Group 2
Credit card
Group 1
Group 2
Debit card
Group 1
Group 2

Risky or very
risky

16.6
14.4
42.6
49.5*
39.7
49.0**

32.5
30.9

55.5
56.7

47.0
50.0

33.2
31.2

35.4
39.6

42.3
36.5

64.0
73.2

20.6
13.4

32.9
27.1

45.3
54.2

33.8
26.8

42.5
50.5

Source: 2013 SCPC Supplementary Survey, November 6, 2013–March 10, 2014, Federal Reserve Bank of Boston.
Note: Group 1 completed the supplementary SCPC between November 6, 2013 and December 18, 2013. Group 2
completed the supplementary SCPC between December 19, 2013, and March 10, 2014. **Difference is statistically
significant at the 5% level. *Difference is statistically significant at the 10% level.

Table B.1 Percentage of respondents choosing each rating.

25

Appendix C. Relative Characteristics Ratings
The 2013 SCPC survey asked respondents to rate each payment method according to the
following characteristics: cost, setup, security, record keeping, acceptance, and convenience.
Respondents assessed the characteristics on an absolute scale of 1 to 5 for each payment
instrument, where 1 was the least desirable and 5 the most desirable. We computed the average
of each respondent’s perceptions of each payment method relative to all the other methods.
Following Schuh and Stavins (2010), we apply the following transformation:
𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑖𝑖𝑖𝑖 (𝑗𝑗, 𝑗𝑗 ′ ) = log �

𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝑖𝑖𝑖𝑖𝑖𝑖
�
𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝑖𝑖𝑖𝑖𝑖𝑖′

where k indexes the characteristics ( k = cost, setup, security, record keeping, acceptance, and
convenience), i indexes the consumer, j represents the payment instrument in question and j ′
represents every other payment instrument besides j. We construct the average relative
characteristic for each payment characteristic k:

over all

𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑖𝑖𝑖𝑖 (𝑗𝑗) =

Ji

1
� 𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑖𝑖𝑖𝑖 (𝑗𝑗, 𝑗𝑗 ′ )
�
𝐽𝐽𝚤𝚤
𝑗𝑗′≠𝑗𝑗

payment instruments for consumer i . Another way of saying this is that for each

respondent and for each payment method separately, we average across that respondent’s
ratings of that payment method relative to each of the other payment methods. For example,
RCHAR ( j ) for k = cost and j = debit card is the average of the log ratios of debit card cost to the
ki

cost of each of the other payment instruments for consumer i. A high value of the variable
would indicate that the consumer considers debit cards to be relatively less costly than any of
the other payment methods. Note that we construct the characteristics relative to all payments,
regardless of whether the consumer has adopted them.
Although transforming the rating variables this way collapses some of the information
by definition, it creates new variables that are more informative than the numerical ratings
provided in the survey. This is so because a rating of 4 for the cost of debit cards, for example,
cannot be easily interpreted, but a high rating relative to the ratings given to the other payment

26

methods reveals whether the consumer considers debit cards to be relatively more or less costly
than other payment methods.

27

Appendix D. Specifications of Security Ratings Regressions
1. Specification of Relative Security Rating Regression
We estimate respondent i’s perception of security type k for payment j in 2013 by using
the following OLS specification:

𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑗𝑗𝑗𝑗𝑗𝑗 = 𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑘𝑘 (𝐷𝐷𝐷𝐷𝐷𝐷𝑖𝑖 , 𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑖𝑖 )

where 𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅 is the average relative security measure described in Appendix C above, j = credit

cards or debit cards, k = overall security or security of personally identifiable information. We
estimate four regressions: two regressions for credit cards and two regressions for debit cards,
one using the overall relative security (from the main SCPC 2013) and one using the relative
security of personally identifiable information (from the SCPC supplement).

𝐷𝐷𝐷𝐷𝐷𝐷𝑖𝑖 is a set of variables representing the demographic and financial attributes of respondent i,

including age, gender, race, education, marital status, nationality, income, employment,
geographic region, financial responsibility, household size, home ownership, and bankruptcy
history.

𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑖𝑖 is a dummy variable indicating whether respondent i completed the supplement
SCPC after the Target breach announcement:

1 if respondent 𝑖𝑖 completed supplement after announcement
𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑖𝑖 = �
0 otherwise

28

2. Absolute Security Rating Regression Specification
We estimate respondent i’s perception of security type k for payment j in 2013 by using
the following ordered probit specification:

𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝑗𝑗𝑗𝑗𝑗𝑗 = 𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝑘𝑘 (𝐷𝐷𝐷𝐷𝐷𝐷𝑖𝑖 , 𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑖𝑖 ),

where 𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶 is the absolute security measure, on a scale from 1 to 5, j = credit cards or debit
cards, k = overall security or security of personally identifiable information. We estimate four
regressions: two regressions for j = credit cards and two regressions for j = debit cards, one
using the overall absolute security (from the main SCPC 2013) and one using the absolute
security of personally identifiable information (from the SCPC supplement).
𝐷𝐷𝐷𝐷𝐷𝐷𝑖𝑖 is a set of variables representing the demographic and financial attributes of respondent i,

including age, gender, race, education, marital status, nationality, income, employment,
geographic region, financial responsibility, household size, home ownership, and bankruptcy
history.

𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑖𝑖 is a dummy variable indicating whether respondent i completed the supplement
SCPC after the Target breach announcement:

1 if respondent 𝑖𝑖 completed supplement after announcement
𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑖𝑖 = �
0 otherwise

29

Appendix E. OLS Regression Results
Explanatory Variables
Post Target
Age
Gender
Race
Ethnicity
Education
Marital Status
Nationality
Income

Employment

Geographic
Region

Bill Pay Financial
Responsibility
Household Shopping
Responsibility
Household Size
Home Ownership
Bankruptcy

Explanatory Variables
Post-Target
< 25
25-34
45-54
55-64
>= 65
Female
Black
Asian
Other
Latino
Less than High School
High School
Some College
Post-graduate
Never Married
Immigrant
< $25,000
$25,000-$50,000
$75,000-$100,000
> $100,000
Retired
Disabled
Unemployed
Homemaker
Other
Mid-Atlantic
East North Central
West North Central
South Atlantic
East South Central
West South Central
Mountain
Pacific
None or almost none
Some
Most
All or almost all
None or almost none
Some
Most
All or almost all
Household size
Owns home
Within last 12 months
Within last 7 years
Observations

Estimated Coefficients
-0.0203
0.0033
0.0167
-0.1075 ***
-0.0663 **
-0.0490
-0.0159
-0.0274
0.0260
0.0785 **
-0.0112
-0.0413
0.0552 *
0.0341
0.0213
-0.0452 *
-0.0526
0.0063
0.0290
0.0306
0.0497
-0.0949 ***
0.0790 *
0.0029
-0.0026
-0.0084
-0.0848
-0.0868
-0.0989
-0.0807
-0.0009
-0.0682
-0.0526
-0.0767
-0.0330
0.0339
0.0328
0.0224
-0.0622
-0.0531
-0.0050
-0.0226
0.0105
-0.0392 *
-0.1544
0.0143
1882

Table E1. Dependent variable: Relative ratings of overall security of debit card.
Source: 2013 SCPC and authors’ calculations.
Note: All respondents answered before the Target breach was announced.

30

Explanatory Variables
Post-Target
Age
Gender
Race
Ethnicity
Education
Marital Status
Nationality
Income

Employment

Geographic
Region

Bill Pay Financial
Responsibility
Household Shopping
Responsibility
Household Size
Home Ownership
Bankruptcy

Explanatory Variables
Post-Target
< 25
25-34
45-54
55-64
>= 65
Female
Black
Asian
Other
Latino
Less than High School
High School
Some College
Post-graduate
Never Married
Immigrant
< $25,000
$25,000-$50,000
$75,000-$100,000
> $100,000
Retired
Disabled
Unemployed
Homemaker
Other
Mid-Atlantic
East North Central
West North Central
South Atlantic
East South Central
West South Central
Mountain
Pacific
None or almost none
Some
Most
All or almost all
None or almost none
Some
Most
All or almost all
Household size
Owns home
Within last 12 months
Within last 7 years

Estimated Coefficients
-0.0711 *
-0.0469
0.0501
-0.0189
-0.0083
-0.0080
-0.0471 **
-0.0071
0.1343 **
-0.0110
-0.0586 *
-0.1065 *
-0.0661 **
-0.0692 ***
0.0078
0.0340
-0.0591
-0.0697 **
0.0014
0.0771 **
0.0981 ***
-0.0292
0.0464
0.0338
0.1092 **
-0.0120
-0.0627
-0.0365
0.0000
-0.0467
-0.0427
-0.0641
-0.0387
-0.0611
-0.0113
-0.0363
0.0235
0.0544 *
-0.0353
0.0407
-0.0028
-0.0268
0.0011
0.0187
-0.1030
0.0147

Observations

1883

Table E2. Dependent variable: Relative ratings of overall security of credit card.
Source: 2013 SCPC and authors’ calculations.
Note: All respondents answered before the Target breach was announced.

31

Explanatory Variables
Post-Target
Age
Gender
Race
Ethnicity
Education
Marital Status
Nationality
Income

Employment

Geographic
Region

Bill Pay Financial
Responsibility
Household Shopping
Responsibility
Household Size
Home Ownership
Bankruptcy

Explanatory Variables
Post-Target
< 25
25-34
45-54
55-64
>= 65
Female
Black
Asian
Other
Latino
Less than High School
High School
Some College
Post-graduate
Never Married
Immigrant
< $25,000
$25,000-$50,000
$75,000-$100,000
> $100,000
Retired
Disabled
Unemployed
Homemaker
Other
Mid-Atlantic
East North Central
West North Central
South Atlantic
East South Central
West South Central
Mountain
Pacific
None or almost none
Some
Most
All or almost all
None or almost none
Some
Most
All or almost all
Household size
Owns home
Within last 12 months
Within last 7 years
Observations

Estimated Coefficients
-0.1129 ***
0.0436
0.0276
-0.0312
-0.0309
-0.0478
-0.0056
0.0274
-0.0232
-0.0310
0.0052
-0.0264
0.0244
0.0311
0.0363
-0.0228
-0.0152
0.0581 **
0.0464 *
0.0555 *
0.0240
-0.0236
-0.0307
-0.0006
-0.0607
-0.0507
-0.0337
-0.0681
-0.0305
-0.0550
0.0229
-0.0294
-0.0621
-0.0337
0.0479
0.0827 **
0.0178
0.0446
-0.0183
-0.0161
-0.0178
-0.0221
-0.0012
-0.0392 *
0.0052
0.0219
1870

Table E3. Dependent variable: Relative ratings of security of personal information of
debit card.

Source: 2013 SCPC and authors’ calculations.
Note: Group 1 answered before the breach was announced; Group 2 (post-Target) answered after the breach was
announced.

32

Explanatory Variables
Post-Target
Age
Gender
Race
Ethnicity
Education
Marital Status
Nationality
Income

Employment

Geographic
Region

Bill Pay Financial
Responsibility
Household Shopping
Responsibility
Household Size
Home Ownership
Bankruptcy

Explanatory Variables
Post-Target
< 25
25-34
45-54
55-64
>= 65
Female
Black
Asian
Other
Latino
Less than High School
High School
Some College
Post-graduate
Never Married
Immigrant
< $25,000
$25,000-$50,000
$75,000-$100,000
> $100,000
Retired
Disabled
Unemployed
Homemaker
Other
Mid-Atlantic
East North Central
West North Central
South Atlantic
East South Central
West South Central
Mountain
Pacific
None or almost none
Some
Most
All or almost all
None or almost none
Some
Most
All or almost all
Household size
Owns home
Within last 12 months
Within last 7 years
Observations

Estimated Coefficients
-0.0421
-0.0282
-0.0078
-0.0457 *
-0.0242
-0.0678 *
-0.0224
-0.0061
0.0302
0.0049
-0.0347
-0.0406
0.0155
0.0142
-0.0091
0.0207
0.0460
-0.0145
0.0325
0.0586 **
0.0292
0.0032
-0.0143
-0.0153
0.0086
0.0351
0.0087
0.0050
0.0612
0.0443
0.0440
0.0035
-0.0007
0.0102
0.0062
0.0151
0.0610 *
0.0281
-0.0101
-0.0052
0.0021
-0.0175
0.0001
0.0160
-0.0780
-0.0047
1872

Table E4. Dependent variable: Relative ratings of security of personal information of
credit card.

Source: 2013 SCPC Supplementary Survey and authors’ calculations.
Note: Group 1 answered before the breach was announced; Group 2 (post-Target) answered after the breach was
announced.

33

Appendix F. Robustness Checks
Our baseline specification (Appendix D) includes several demographic variables in
order to control for any inherent differences between Group 1 and Group 2. However, very few
coefficients on the demographic variables were significant in the regressions. In order to
address concerns with overfitting due to a small number of consumers in Group 2 and a large
number of variables, we ran various robustness checks using more parsimonious specifications
to see whether our initial results still hold.
In particular, we applied the following alternative specifications by changing the set of
variables included in 𝐷𝐷𝐷𝐷𝐷𝐷𝑖𝑖 :

a) We included age as a continuous variable instead of age cohorts; we also dropped the U.S.
regions, as none of the corresponding estimated coefficients were significant in our original
specification.
b) In addition to the modifications described in the previous bullet point, we dropped
household shopping responsibility, household size, and bankruptcy variables. None of
those variables were significant in the original specification.
c) We further reduced the number of estimated parameters by dropping and/or combining
categories. Specifically, for 𝐷𝐷𝐷𝐷𝐷𝐷𝑖𝑖 we included only age, age squared, and the following

indicators: female, white, Latino, being employed, receiving post-graduate education, and
having household income greater than $100,000.
For each of the specifications described above, the estimated coefficient on the postTarget indicator remains very close to that in the original specification and remains significant
at the 1 percent level in the regression of the relative ratings of security of personal information
of debit cards. Moreover, the post-Target coefficient remains insignificant whenever the original
estimated coefficient was insignificant. In the regression of the relative ratings of overall
security of credit cards, specifications (a) and (b) led to estimated coefficients for the post-Target
indicator that are no longer significant at the 10 percent level. However, the estimated
coefficients did not change much.

34

Overall, the above robustness checks support our findings from our baseline
specification described in Appendix D.

35