UK businesses have paid out an average of more than £878,000 per incident over the last three years due to hackers successfully accessing cardholder data, says research just published by Worldpay, the credit and debit card transaction processor. And, says the processor, of those companies whose customer card data was hacked over the last year, 61 percent were small businesses.
Worldpay also says that operators in the electrical, hardware, and automotive industries have had more card data security breaches than any other, followed by pharmaceuticals, cosmetics, and clothing retailers.
This cost, paid out to third parties who undertake forensic investigations into the fraud and make repairs, is the result of a wider problem facing businesses and consumers, says the company.
The situation is made worse by the fact that Worldpay's data shows that the number of credit and debit cards at risk from security breaches in the UK has grown by 1,518 percent over the last two years - from under 200,000 cards to more than three million at the end of 2013. At least 6.57 million cards have been put at risk over the past three years, the processor notes.
According to Worldpay's managing director Dave Hobday, card payments and online purchases are becoming the norm as we move towards a cashless society, but with this trend comes an increasing degree of risk.
"While most large companies are strengthening their safety measures, there's been only a marginal improvement amongst small businesses," he said, adding that fraudsters tend to go after low-hanging fruit.
Small businesses, he went on to say, are easy prey, so it's a real worry so many small businesses still don't see the value in security compliance.
"If we want to see genuine change, it's important we support small business owners. A data breach can be financially crippling – just the investigation alone can cost thousands of pounds, not to mention fines and loss of reputation. Knowing the risks and practicing good security will protect you and your customers in the long term – and that has to be a good thing," he explained.
Phil Turtle, chief communications officer for the Data Centre Alliance, said that the message underlying the research - that smaller businesses need to improve their card data security processes - is likely to be missed completely.
"It's not that small businesses don't see the value in compliance, they mostly wouldn't even understand these words. All of this Internet security stuff is far too complicated for small businesses - who are already over-stretched in terms of time to do their core job - let alone look after the complications of Web sites, digital marketing and the almost incomprehensible area of Internet security," he said.
"What's more, we must conclude that SMEs need the banks and payment processors to complete the security systems for them, even if that means higher processing costs, because they are never going to have the skills or the time to do it themselves," he added.
Fran Howarth, an analyst and practice leader with Bloor Research, however, said that card fraud figures are actually on a downward trend at the moment, largely thanks to the increasing take-up of EMV (smart card) payment cards across Europe and beyond.
She also questioned the £878,000 average figure from Worldpay, saying that this amount may be too low, and noting that the Worldpay's split between card fraud in small and large businesses (61/39 percent) actually equates to the number of small and large businesses in the UK.
"My key takeout here is that there are now many additional options for smaller businesses to store their data securely in the cloud, which takes the security requirements out of their hands," she said.