In 2010, 63% of breach investigations involved companies with fewer than 100 employees – small firms. That’s up from 27% in 2009 – a dramatic increase.
Visa, Inc. estimates that about 95% of the credit-card breaches it discovered were at the smallest (Level 4) merchants.
Wall Street Journal: Hackers Shift Attacks to Small Firms
The article closes with a comment from a small-business owner who suffered a data breach, expressing a perspective many of you may find familiar:
Mr. Angelastri still marvels that his business was attacked at all. “We thought there would be very little chance that somebody would come into a business of our size to pull off something like this,” he says.
Also worth noting is the nature of the attack in the example described in the above article. This is another case of malware being used to capture credit card data in transit through the merchant’s network over a period of time. So even if you are one of those organizations that has successfully leveraged data tokenization or outsourced credit card processing to eliminate the need to store cardholder data to disk, don’t fall into the trap of thinking this eliminates your risk of a data breach, or the need to maintain full compliance with the PCI DSS.
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services