Death by 1,000 breaches: SMBs, customers desperate for adequate security tools

Death by 1,000 breaches: SMBs, customers desperate for adequate security tools

Summary: While high-profile incidents at Target and Neiman Marcus generate the most headlines and anxiety, small businesses and their customers remain the most vulnerable to security breaches – and also the most underserved.


Only 44 percent of banks, payment processors and merchant service providers are currently offering state-of-the-art security tools and services to small businesses despite the virtual pandemic of data breaches afflicting consumers worldwide, according to a new survey from payment security and compliance solutions provider ControlScan and the Merchants Acquirers' Committee.

Among the MSPs, ISOs and acquirers that are providing additional security solutions to small businesses, basic security technologies such as tokenization and point-to-point encryption are the most common additional solutions offered.

"The latest acquirer survey reveals great opportunities for MSPs, including the ability to offer merchants risk-reducing tools as well as justification for being more aggressive in charging non-compliance fees," Susan Matt, CEO of payments consulting firm ThoughtKey, said in the report. "MSPs who seize these opportunities will achieve greater risk reduction overall, gain revenue and ensure merchant retention."

More often than not, small and midsize businesses are merely provided access to the Payment Card Industry-required self-assessment questionnaire and some limited external vulnerability scanning tools.

In other words, it's often way too little and way too late.

Network security software provider Fortinet last month issued an equally sobering research report that found that among 100 SMBs with less than 1,000 employees, 22 percent were not in compliance with PCI DSS and another 14 percent didn't know if they were compliant or not.

Meanwhile, millions of holiday shoppers are still receiving new debit and credit cards in the wake of organized attacks on customer data at leading retailers including Target, Neiman Marcus and Michaels Stores.

"Today’s threat environment challenges merchant service providers to take a fresh look at their PCI programs," said Heather Foster, vice president of marketing, ControlScan. "Small merchants in particular need guidance in terms of readily-available technologies and services that reduce PCI scope and support a strong security posture."

But for most small and midsize businesses, their inability to effectively respond to or protect against cyberattacks is primarily the result of limited IT budgets.

The survey did find that MSPs are seeing improvement in small-merchant PCI compliance validation – respondents said their portfolio compliance rates are now above 40 percent – but that has also coincided with a 23 percent spike in breach incidents within their merchant networks.

Topics: Security, E-Commerce, Privacy


Larry Barrett is a freelance journalist and blogger who has covered the information technology and business sectors for more than 15 years.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • And See What MasterCard is e-commerce

    Well yes with all of this in the news...what is MasterCard doing..starting an "engagement bureau" to tell what persona you have of the 5 categories they made up and get you to suck in give them some more data to sell..

    So yeah, small businesses don't expect much help here.
  • Large Retailers Worst than SMBs

    The unfortunate truth is that many large retailers are generally worse off than SMBs when it comes to security. Recent news articles provide ample proof to the incompetence at security by many large retailers.

    There is a lack of security expertise at many of the large retailers due to off-shore outsourcing at a rock bottom price and a mindset with senior management that only the absolute minimum needs to be done to secure their data.

    When a large retailer gets breached, massive databases of detailed consumer data can be lost which when correlated with card data creates a perfect storm of losses for consumers. Many of the large retailers frankly don't care what happens since they have deep pockets and plausible deniability given by their auditors that they did the "right things". SMBs don't have the financial resources that large retailers have to pay fines as well as to buy off their auditors or provide enough resources to deceive their auditors into believing everything is fine. No auditor wants to lose the business of a large retailer by providing a bad report, but that same auditor has no problem kicking the small guy to the curb because SMB customers are so plentiful and the fees are so small by comparison.

    As is usual, the small retailer will be forced to pay for the sins of their large competitors and cannot afford to do so. The big and incompetent get stronger due to their malfeasance and their smaller competitors get buried under new regulatory burdens. Pity the little guy.
  • adequate vs state-of-the-art

    There's a BIG diff between adequate and SotA. I bet the percentage of banks, PPs and MSPs that offer wholly adequate security tools and services are MUCH higher than 44% (but that's less alarming, isn't it?).
    It's not so much the tools, but the people using them. Minimum wage clerks and tellers and the like, probably haven't had the training or desire to follow adequate PROCEDURES to effect those features that are already paid for.
    From what I hear, it's usually something that is now casually referred to as "Social Engineering" that is responsible for much of the troubles. In a less PC (politically correct) age this was referred to as "What MORON did this?!" instead of social engineering.
  • The 'Stockholm Syndrome' of technology purchase and adoption

    This dilemma only affects those who are technically in-knowledgeable, wasteful in their business expenses and with some sort of dysfunctional loyalty to purchasing and supporting Microsoft technology.

    Most of Europe, China, Russia, many countries in South and Central America have far fewer of these peculiar persons and thus can and have moved on successfully and happily to other (non-Microsoft) software base for Desktop PC, Server, Networking, Virtualization and Cloud Computing technology needs.