Small merchants are the main target for criminals bent on stealing payment card information, according to a new report from Trustwave. The Internet security firm’s “Payment Card Trends and Risks for Small Merchants” report says that 90% of card-security compromises last year involved Level 4 merchants. Level 4 merchants represent the smallest of the four categories of merchants defined by payment card networks like Visa and MasterCard. Retailers in this category typically process less than 20,000 annual e-commerce transactions or no more than 1 million payment card transactions total.
“Taken at face value, this might surprise most readers,” the report says. “Though there are attacks that target large, well-known businesses, many attackers look for vulnerable systems. These attackers are often able to find common and easy-to-exploit vulnerabilities in the systems of Level 4 merchants because small businesses generally have devoted few resources to protecting those vulnerable assets.”
The report goes on to say that e-commerce payment systems accounted for 9% of compromises in 2010, ahead of ATMs, at 2%, but behind such areas as point-of-sale software (75%) at bricks-and-mortar stores and employee workstations (11%). Most Level 4 merchants, the report says, are card-present merchants—that is, they accept cards from customers in stores via point-of-sale systems. However, the report notes that many of those smaller businesses are adding e-commerce capabilities.
The report, which seeks to urge business owners to beef up their card-security protections, offers no specific advice for online retailers. But it does highlight several ways in which smaller merchants often fail to comply with the Payment Card Industry Data Security Standard, a set of data security rules backed by the major card brands that can be enforced by fines from acquirers. For instance, nearly 98% of small merchants fail to maintain firewalls that can protect payment data, while almost 75% do not protect stored card data. About 98% of small merchants fail to regularly test the security of their card-protection systems.
Kurt Olender, CEO of Acentris, and Aaron Mandelbaum, manager of web marketing at Big M Inc., will speak at the Internet Conference & Exhibition 2011 in a session entitled “Don't risk the farm: Making sure your e-business's privacy, security and compliance don't put you out of business.” Additionally, Scott Boding, director, order screening at CyberSource, and David Schwartz, senior director of marketing, Authorize.Net, at CyberSource, will speak in a session entitled “10 low-cost, little-noted payment fraud-fighting and cost-saving ideas.”