Death by 1,000 breaches: SMBs, customers desperate for adequate security tools

While high-profile incidents at Target and Neiman Marcus generate the most headlines and anxiety, small businesses and their customers remain the most vulnerable to security breaches – and also the most underserved.


Only 44 percent of banks, payment processors and merchant service providers are currently offering state-of-the-art security tools and services to small businesses despite the virtual pandemic of data breaches afflicting consumers worldwide, according to a new survey from payment security and compliance solutions provider ControlScan and the Merchants Acquirers' Committee.

Among the MSPs, ISOs and acquirers that are providing additional security solutions to small businesses, basic security technologies such as tokenization and point-to-point encryption are the most common additional solutions offered.

"The latest acquirer survey reveals great opportunities for MSPs, including the ability to offer merchants risk-reducing tools as well as justification for being more aggressive in charging non-compliance fees," Susan Matt, CEO of payments consulting firm ThoughtKey, said in the report. "MSPs who seize these opportunities will achieve greater risk reduction overall, gain revenue and ensure merchant retention."

More often than not, small and midsize businesses are merely provided access to the Payment Card Industry-required self-assessment questionnaire and some limited external vulnerability scanning tools.

In other words, it's often way too little and way too late.

Network security software provider Fortinet last month issued an equally sobering research report that found that among 100 SMBs with less than 1,000 employees, 22 percent were not in compliance with PCI DSS and another 14 percent didn't know if they were compliant or not.

Meanwhile, millions of holiday shoppers are still receiving new debit and credit cards in the wake of organized attacks on customer data at leading retailers including Target, Neiman Marcus and Michaels Stores.

"Today’s threat environment challenges merchant service providers to take a fresh look at their PCI programs," said Heather Foster, vice president of marketing, ControlScan. "Small merchants in particular need guidance in terms of readily-available technologies and services that reduce PCI scope and support a strong security posture."

But for most small and midsize businesses, their inability to effectively respond to or protect against cyberattacks is primarily the result of limited IT budgets .

The survey did find that MSPs are seeing improvement in small-merchant PCI compliance validation – respondents said their portfolio compliance rates are now above 40 percent – but that has also coincided with a 23 percent spike in breach incidents within their merchant networks.