Industry: Retail and E-Commerce · Updated May 2026

Retail and E-Commerce Incident Cost: PCI, Peak Outages, and Card-Skimmer Math in 2026

Q: What is the average cost of a retail data breach?

The IBM Cost of a Data Breach Report 2025 puts retail at $3.48M per breach on average, lower than the cross-industry mean of $4.44M. The lower headline number is misleading because the variance is enormous: small e-commerce shops sit well below the mean while the long tail of named card-data breaches (Target, Home Depot, TJX) ran into hundreds of millions in disclosed cost.

Q: What does PCI non-compliance cost after a breach?

Card brand penalties for non-compliance discovered after a breach run $5,000 to $100,000 per month per acquirer, plus per-record fines that have been reported in the $50-$90 range historically. The card brands (Visa, Mastercard, Amex, Discover) negotiate these privately with acquirers and they are passed through to merchants. Forensic investigation by a PCI Forensic Investigator (PFI) is mandatory and runs $50K-$300K. The total stack of card-brand fines plus PFI plus reissuance pass-through has historically run 5-25% of the total incident cost.

Q: What does an outage cost an e-commerce site?

Per-minute downtime cost for e-commerce scales linearly with revenue. The well-known formula is annual revenue divided by minutes-of-operation per year. A retailer doing $1B in annual GMV averages $1,902 per minute of downtime, but this is averaged across 525,600 operational minutes. During peak shopping windows (Black Friday weekend, Cyber Monday, Christmas Eve) the per-minute cost is 5-15x the average. Amazon's widely cited 2013 Prime Day outage estimate was $66,240 per minute or $4M+ per hour at the time.

Q: What is a Magecart skimmer and how much does cleanup cost?

Magecart is the umbrella name for a category of credit-card skimmer malware injected into e-commerce checkout pages, typically through compromised third-party JavaScript. Notable victims include British Airways (2018, eventual ICO fine of £20M, originally £183M), Newegg (2018), Ticketmaster (2018), and Macy's (2019). Cleanup cost runs $200K-$5M for a mid-size merchant, dominated by forensic investigation, third-party SDK audit, customer notification, and regulator engagement. The cost of preventing it (subresource integrity, CSP, third-party code-review program) is typically $50K-$300K.

Q: How much does a Black Friday outage cost?

It depends entirely on the retailer's revenue profile. For a top-100 US e-commerce retailer doing $5B+ in annual GMV with 25% of GMV concentrated in November-December, the per-minute opportunity cost on Black Friday or Cyber Monday peaks at $50K-$300K per minute. Best Buy estimated $1.6M for one hour of downtime in earlier years. The full incident cost includes opportunity revenue (most likely permanent loss as customers buy elsewhere), abandoned-cart recovery cost, customer-service surge cost, and brand impact.

Q: What were the most expensive named retail incidents?

Target 2013 ($292M+ cumulative cost including $148M direct in 2014, plus $39M class settlement, $18.5M state AG settlement, $10M consumer class). Home Depot 2014 ($263M+ cumulative including $179M in expenses, $134.5M card-brand settlements, $25M state AG, $20M consumer). TJX 2007 (~$256M+ over the long tail). Equifax 2017 (consumer credit, $1.4B+) is sometimes grouped with retail. Marriott 2018 (~$200M including $52M state AG settlement plus £18.4M ICO fine).

Q: Are e-commerce-only retailers cheaper to breach than omnichannel?

Often yes per-event, because the attack surface is narrower (no POS estate). But the customer-perception elasticity is higher: e-commerce shoppers can switch in seconds. Pure-play e-commerce breaches more often translate to permanent customer loss, where omnichannel breaches see customers continue to visit physical stores. The IBM CODB 2025 segmentation does not break out pure-play vs omnichannel separately, but customer-churn cost at e-commerce-pure tends to run 1.5-2x the omnichannel comparable.

$3.48M

Avg breach cost

$292M

Target 2013 total

5-15x

Peak-day downtime multiplier

$5K-$100K

PCI penalty per month

Retail and e-commerce sit below the cross-industry IBM CODB 2025 average at $3.48M per breach. The headline figure understates the actual exposure because the distribution is bimodal: a long tail of small e-commerce sites with low-five-figure incidents anchors the median, while the named card-data breaches (Target, Home Depot, TJX, Marriott) have run into the hundreds of millions and pull the upper tail dramatically. The cost shape is also seasonal in a way that no other sector matches: peak-shopping windows compress 25% or more of annual GMV into roughly 60 days, which makes availability incidents during those windows disproportionately expensive.

The Bimodal Distribution Problem

Retail breach economics have two distinct cost regimes. Below roughly $100M in annual revenue, breaches mostly cost what IBM CODB describes as the small-business tier (around $1.5M-$3M including everything). Above $1B in annual revenue and especially with point-of-sale or large e-commerce exposure, breach cost can compound to $100M-$300M+ as the long tail of class-action settlements, card-brand fines, and brand impact resolves over five-to-seven years.

The bimodal distribution matters for budget planning. A small DTC e-commerce shop should plan for a $500K-$3M loss-given-breach scenario. A mid-market omnichannel retailer should plan for $5M-$25M. A large enterprise with significant card-acceptance exposure should plan for the full $100M+ tail risk. Cyber insurance underwriting in retail typically reflects this stratification, with higher per-event sublimits available at higher premiums for the upper tail.

Retailer Tier	Annual Revenue	Realistic Loss-Given-Breach	Notable Comparable
Micro DTC	<$5M	$50K-$500K	Shopify-shop card-skimmer cleanup
Small e-commerce	$5M-$100M	$500K-$3M	Newegg 2018 (Magecart)
Mid-market omnichannel	$100M-$1B	$3M-$25M	Wendy's 2016 (~$8M direct)
Large enterprise retail	$1B-$10B	$25M-$200M+	Home Depot 2014 ($263M+)
Mega-retailer	>$10B	$100M-$500M+	Target 2013 ($292M+)

The PCI-DSS Cost Stack After a Breach

Card-data breaches trigger a parallel non-government penalty regime: the card brands (Visa, Mastercard, Amex, Discover) impose contractual penalties on the acquirer, which are passed through to the merchant. The figures are not public because they sit inside private acquirer-merchant contracts, but published estimates and post-breach disclosures over the past decade are consistent on the components.

Cost Component	Range	Notes
PCI Forensic Investigator (PFI)	$50K-$300K	Mandatory after a Compromised Account Reporting (CAR) event; $400-$800/hr partner rates
Card brand non-compliance fines	$5K-$100K/month per acquirer	Continues until QSA confirms compliance; can run 6-18 months
Per-card reissuance pass-through	$3-$8 per card	Issuing-bank cost of producing and shipping replacement cards; passed back through assessments
ADC penalties (Account Data Compromise)	$50-$90 per record	Reported figures from Visa Operating Regulations and post-2018 acquirer settlements
Remediation Validation	$25K-$100K	Post-incident QSA assessment to clear non-compliant status
Loss of payment processing privileges	Existential risk	Rare but documented; typically reserved for repeat or willful non-compliance

Sources: PCI Security Standards Council documentation, Visa Operating Regulations excerpts in published case law, and post-breach disclosures from Target, Home Depot, and TJX.

Peak-Shopping Availability Cost

Retail availability incidents do not cost the same dollar amount on every day of the year. The seasonality of GMV concentration produces a per-minute cost surface that peaks dramatically in late November through December. The classic per-minute downtime arithmetic works only when applied to the marginal hour, not annualised averages.

For a retailer doing $1B in annual GMV with 25% of revenue concentrated in November and December, the average per-minute cost across the year is approximately $1,902 ($1B / 525,600 minutes). But the peak Black Friday hour can produce $30K-$300K per minute depending on traffic concentration. Cyber Monday afternoon peaks similarly. The marginal cost of being down on a peak day is a multiple of being down on an average Tuesday in February. outagecost.com hosts a detailed treatment of the per-minute math; the retail-specific peak premium is the structural insight.

Window	Annual GMV Share	Per-Minute Cost Multiplier vs Annual Avg
Black Friday	3-5%	15-25x
Cyber Monday	2-4%	10-18x
Christmas Eve	1-2%	5-10x
Singles Day (international)	2-4%	8-15x
Average Tuesday Q1	<0.3%	0.5-0.8x

Multipliers assume average per-minute cost of $1,902 for a $1B-GMV retailer. Multipliers reflect concentration of demand within shorter windows during peak days.

Magecart and Client-Side Skimmer Economics

The dominant card-data threat against e-commerce since approximately 2018 has been client-side skimmers (Magecart-style), where attackers inject JavaScript into checkout pages, typically through compromised third-party SDKs or supply-chain vectors. The cost shape differs from server-side breaches: there is usually no SQL exfiltration, but every transaction during the dwell window leaks card data in real time, which means the affected-card population scales linearly with dwell time.

Incident	Year	Dwell	Cards / Records	Disclosed Cost
British Airways	2018	~15 days	~430,000	£20M ICO fine (down from £183M)
Newegg	2018	~30 days	undisclosed	undisclosed
Ticketmaster (UK)	2018	~3 months	~9.4M	£1.25M ICO fine plus class settlements
Macy's	2019	~7 days	undisclosed (limited)	undisclosed
Forbes	2019	unknown	undisclosed	undisclosed

Skimmer prevention investment is meaningfully cheaper than incident cost. Subresource integrity (SRI) on every third-party script tag, a tight Content Security Policy with hash-pinned origins, and a continuous third-party JavaScript inventory program together cost typically $50K-$300K to implement and $30K-$150K annually to operate. For any retailer above mid-market, this investment pays back on the first prevented incident.

The Long-Tail Class-Action Math

Card-data breaches in retail produce some of the longest litigation tails of any incident type. The plaintiff bar has refined the playbook over a decade of TJX, Target, Home Depot, and Equifax precedent. The typical resolution path: consumer class action settles in 3-5 years, financial institution (issuer-bank) class action in 4-6 years, state attorneys general multistate settlement in 4-7 years, and any SEC or FTC enforcement on a separate timeline.

Settlement Track	Typical Timeline	Range (mid-market)	Range (large enterprise)
Consumer class action	3-5 years	$2M-$10M	$10M-$190M
Issuer-bank class action	4-6 years	$1M-$10M	$10M-$135M
State AG multistate	4-7 years	$1M-$10M	$10M-$50M
FTC consent order	2-5 years	$500K-$5M	$5M-$700M (Equifax)
Card-brand contractual	1-3 years	$500K-$5M	$5M-$100M

Ranges based on the named-incident benchmark set: TJX, Heartland, Target, Home Depot, Wendy's, Equifax (consumer credit, related), Marriott. Mid-market figures are interpolated where direct comparables are unavailable.

Frequently Asked Questions

What is the average cost of a retail data breach?

The IBM Cost of a Data Breach Report 2025 puts retail at $3.48M per breach on average, lower than the cross-industry mean of $4.44M. The headline understates exposure: distribution is bimodal, with small e-commerce sites well below the mean and named card-data breaches running into hundreds of millions.

What does PCI non-compliance cost after a breach?

Card brand non-compliance penalties run $5,000 to $100,000 per month per acquirer, plus per-record fines reported in the $50-$90 range. PCI Forensic Investigator (PFI) work runs $50K-$300K. Total card-brand fines plus PFI plus reissuance pass-through has historically been 5-25% of total incident cost.

What does an outage cost an e-commerce site?

Per-minute downtime cost scales linearly with revenue: annual revenue divided by 525,600 minutes. A retailer with $1B annual GMV averages $1,902 per minute. During peak shopping windows (Black Friday, Cyber Monday) per-minute cost runs 5-15x the annual average.

What is a Magecart skimmer and how much does cleanup cost?

Magecart is the umbrella term for client-side credit-card skimmers injected into checkout pages. Notable victims: British Airways (2018, eventual £20M ICO fine), Newegg (2018), Ticketmaster (2018), Macy's (2019). Cleanup runs $200K-$5M for a mid-size merchant. Prevention via SRI, CSP, and third-party JS inventory costs $50K-$300K to implement.

How much does a Black Friday outage cost?

For a top-100 US e-commerce retailer doing $5B+ annual GMV with 25% in November-December, per-minute opportunity cost on Black Friday or Cyber Monday peaks at $50K-$300K per minute. Best Buy estimated $1.6M for one hour of downtime in earlier years. The full incident cost includes opportunity revenue, abandoned-cart recovery, customer-service surge, and brand impact.

What were the most expensive named retail incidents?

Target 2013 ($292M+ cumulative). Home Depot 2014 ($263M+ cumulative). TJX 2007 (~$256M+ over the long tail). Marriott 2018 (~$200M including £18.4M ICO fine plus state AG settlements). Equifax 2017 (consumer credit, $1.4B+). These are the top-of-stack benchmarks for industry triangulation.

Are e-commerce-only retailers cheaper to breach than omnichannel?

Often yes per-event because the attack surface is narrower (no POS estate). But customer-perception elasticity is higher: e-commerce shoppers can switch in seconds. Pure-play e-commerce breaches more often translate to permanent customer loss, where omnichannel customers continue visiting physical stores.