What is the average cost of a retail data breach in 2025?

IBM 2025 puts the retail sector at $2.96M average per breach with a per-record cost of $142. Retail sits at rank #9 of 10 tracked sectors and is the most stable sector year-over-year. The figures reflect card-data dominance and the relatively shorter useful life of stolen card information.

Why are retail data breaches less expensive than healthcare?

Card data has a finite useful life because issuers cancel and reissue within days of detection. Cardholders carry $50 maximum fraud liability under the Fair Credit Billing Act, so the breach does not produce direct consumer harm at scale. PCI DSS provides clearer compliance bounds than HIPAA. Customer churn is price-driven not relationship-driven, so brand recovery is faster. Stolen PHI, by contrast, retains indefinite value because it cannot be revoked.

What was the most expensive retail data breach?

Target in 2013 at $292M total cost. The breach involved POS malware deployed on 1,797 stores during the 2013 holiday season after attackers compromised HVAC vendor credentials. Total cost included a $39M card-issuer settlement, $18.5M multistate AG settlement, $10M class-action settlement, and over $200M in operational response. Both the CEO and CIO resigned.

How much does PCI DSS compliance cost annually?

$50K to $1M annually for a mid-sized retailer depending on transaction volume and PCI level. Level 1 merchants (6M+ transactions per year, or any breached merchant) face $50K-$250K for the annual on-site QSA assessment plus quarterly vulnerability scanning. Levels 2-4 require self-assessment questionnaires with much lower direct cost. Post-breach the merchant is promoted to Level 1 automatically, raising the annual compliance cost.

What are the PCI DSS card-brand fines for a breach?

The schedules are confidential, but public-record breach settlements indicate $5,000 to $50,000 per month per merchant ID for an Account Data Compromise Event, scaling with the number of compromised accounts and historical compliance posture. Mastercard, Visa, Amex, and Discover have parallel structures. For a Tier 1 retailer with multi-month exposure, monthly fines alone can run seven figures before per-card reissuance reimbursement is added.

How much does card reissuance cost per card?

$5 to $15 per card on the issuer side, depending on card type (basic vs premium), embossing complexity, mailing class, and activation contact-center support. The breached merchant typically reimburses the issuer through PCI DSS settlement clauses. For a breach exposing 10M cards, the reissuance reimbursement alone is $50M to $150M, which is why retailer post-breach disclosure typically includes a large 'remediation reserve' line item.

Did Target's breach actually cost more than the disclosed $292M?

Probably. The $292M figure is the cumulative SEC-disclosed direct cost across 2013-2017. It does not include the value of management time spent, deferred capital expenditure, foregone strategic options like the unsuccessful Canadian expansion that was already underway, or the unquantifiable cost of the multi-year executive-attention drain. Industry analysts have estimated total economic impact at $500M to $700M including these indirect costs.

Sector File 03.RT / RetailPCI DSS / state laws / GDPRLower unit cost, high volume

Sector profile

Retail breaches cost $2.96M on average. Per record, $142.

IBM's 2025 retail figure of $2.96M sits at rank #9 of 10 tracked sectors, with per-record cost of $142 below the global average. Card data has a shorter useful life than PHI and replacement is cheap. PCI DSS provides a clearer compliance framework than HIPAA. Customer churn is moderate because retail loyalty is price-driven, not relationship-driven. The economics of retail breach are unique in that volume is high but per-unit cost is low.

Avg total cost

$2.96M

IBM CODB 2025

Per record

$142

Below global average

YoY change

-3%

Slight decline

PCI scope

Level 1-4

Tiered by transaction volume

Section RT.1

Why card-data breach cost is lower per record

The simple answer is that card data has a finite useful life to the attacker. A stolen credit card number ages out within days or weeks of detection as issuers cancel and reissue. Cardholders are statutorily protected from fraud liability beyond $50 under the Fair Credit Billing Act. The attacker has a narrow window of monetization, the issuer absorbs the fraud cost, and the cardholder experiences inconvenience rather than direct loss. None of that is true for stolen PHI, SSN, or genome data, which retain value indefinitely because they cannot be revoked.

For the retailer, the cost components that dominate are PCI DSS card-brand assessments (which run $5,000 to $100,000 per month per merchant ID for compliance failures), card reissuance reimbursement to issuers ($5 to $15 per card multiplied by the affected count), forensic investigation by a PCI Forensic Investigator (PFI, $200K to $2M typical), and customer-relationship investment to maintain visit frequency post-breach. Class-action exposure is real but typically settles at $5 to $50 per consumer for card-data-only breaches, materially lower than the $30 to $150 typical in PHI breaches.

Where retail breach cost can climb sharply is when the breach exposes data beyond card numbers. The 2013 Target breach is the canonical example. The headline 40M stolen card records were the smaller cost component. The 70M customer records (name, address, phone, email) exposed in the same intrusion drove higher cost than the cards themselves, because that data did not age out and triggered state breach-notification obligations in 47 states.

Section RT.2

PCI DSS as cost-of-doing-business

PCI DSS (Payment Card Industry Data Security Standard) is the compliance framework that applies to any organisation that stores, processes, or transmits cardholder data. The standard is owned by the PCI Security Standards Council jointly created by Visa, Mastercard, American Express, Discover, and JCB, but enforcement flows through the card brands directly via the acquiring-bank relationship.

PCI levels are determined by annual transaction volume. Level 1 (over 6 million transactions per year, or any merchant that has suffered a breach) requires annual on-site assessment by a Qualified Security Assessor at a cost of $50K to $250K, plus quarterly external vulnerability scanning. Level 2 (1M to 6M transactions) requires annual self-assessment with QSA review. Levels 3 and 4 require annual self-assessment questionnaires only. The cost of staying compliant runs $50K to $1M annually for a mid-sized retailer, and rises sharply post-breach because the retailer is automatically promoted to Level 1.

The card-brand fines for breach are structured as compliance penalties rather than damages. Visa publishes a confidential schedule that public-record settlements indicate runs $5,000 to $50,000 per month per merchant ID for an Account Data Compromise Event, scaling with the number of compromised accounts and the merchant's historical compliance posture. Mastercard, Amex, and Discover have parallel structures. For a Tier 1 retailer with multi-month exposure, monthly fines alone can run into seven figures before per-card reissuance reimbursement is added.

Section RT.3

Notable retail breaches

Target, 2013

40M cards + 70M customer records / POS malware / HVAC vendor credentials

$292M

The case that turned PCI DSS from a checkbox exercise into a board-level concern. Attackers compromised Target's HVAC vendor (Fazio Mechanical), used the vendor's portal access to enter Target's corporate network, and pivoted to install POS malware on 1,797 stores during the 2013 holiday season. Target disclosed $292M in total cost across multiple SEC 10-K filings from 2013 to 2017, including a $39M card-issuer settlement, $18.5M multistate AG settlement, $10M class-action settlement, $39M to MasterCard, and over $200M in operational response. The CEO and CIO both resigned.

Primary source: Target SEC 10-K 2013-2017; multistate AG settlement 23 May 2017; Senate Commerce Committee report March 2014.

Home Depot, 2014

56M cards + 53M email addresses / POS malware / Vendor credentials

$198M

Home Depot self-checkout POS terminals were targeted with custom malware between April and September 2014, with attackers entering through compromised third-party vendor credentials and pivoting through inadequately segmented self-checkout systems running outdated Microsoft Embedded POSReady. Home Depot disclosed $198M in cumulative breach cost across SEC filings, including a $19.5M consumer settlement and $25M multistate AG settlement.

Primary source: Home Depot SEC 10-K 2014-2018; multistate AG settlement 24 November 2020.

TJX Companies, 2007

94M records / WEP encryption broken / Wireless network entry

$256M

The breach that prompted PCI DSS version 1.2. TJX (parent of T.J. Maxx, Marshalls, HomeGoods) was breached through inadequately secured wireless networks at retail stores, with attackers using WEP encryption breaking to enter the network and exfiltrate 94M records over an 18-month period. TJX settled with the FTC and pledged comprehensive security improvements; the total cost across class-action, card-brand assessments, and remediation reached $256M.

Primary source: FTC consent order 27 March 2008; TJX SEC 10-K 2007-2010.

Neiman Marcus, 2024

31M records / Snowflake credential compromise / No MFA

$25M+

Part of the 2024 Snowflake credential-compromise campaign that also affected Ticketmaster, AT&T, Santander, and dozens of other organisations. Neiman Marcus disclosed the breach in mid-2024 with notification to 31M customers. The campaign demonstrated how a single credential-management failure at a cloud-data-warehouse customer can produce notification-scale costs in the tens of millions even without any breach of the cloud provider itself.

Primary source: Neiman Marcus breach notification filing California AG, 2024.

Cross-references

Case / Target 2013

→

$292M total: PCI fines, multistate AG, card-issuer settlement detail.

Regulation / PCI DSS

→

Card-brand fines, reissuance economics, PFI mandates.

Cost / Per record

→

$142 for retail vs $408 healthcare, full sector table.

Cost / Notification

→

Letter, email, call-centre cost composition.

Index / All industries

→

All 10 IBM sectors ranked.

Schedule F / Reference Q&A

Frequently Asked Questions

Primary source:Retail sector cost figures from IBM Cost of a Data Breach Report 2025. PCI DSS economics from PCI Security Standards Council documentation and public-record breach settlements. Notable breach data from SEC 10-K filings, multistate AG settlements, and FTC consent orders.