Not all data breaches make headlines, and it's the quiet ones that might be the most dangerous.
Big chains are often concerned about being the next Target or Home Depot, brands that are commonly named when discussing the long-term reputational fallout of a data breach. But a smaller reputation doesn't necessarily equate to a smaller risk.
"If there's some person in a basement targeting a merchant, they would target small businesses [that] don't have the resources in place" to defend themselves, said Darrell Anderson, president and CEO of Conformance Technologies, a compliance and risk company that addresses breach and risk for small businesses by offering a lower-cost option through acquirers and merchant service companies.
Big stores can budget for extensive security audits, whereas small stores might not buy more than "a ten thousand dollar penetration test," Anderson said. "And that's not a scan, it's just the test."
There are efforts to raise awareness of the relative costs of security versus exposure, such as the Main Street Cybersecurity Act, but these measures will take time, said Al Pascual, a senior vice president and research director at Javelin Strategy & Security.
Fraudsters cost small businesses $3.1 billion in fraud losses each year, Pascual said.
"A hack can simply put a small business out of business," said Avivah Litan, a vice president at Gartner Research. "And on their own, the cost of defending against these hacks is too high. That would also put them out of business."
The Reno-based Conformance just introduced an addition to its compliance suite, called the PreComm ToolKit. It uses cloud-based data gathering and collating to address Know Your Customer anti money laundering rules, Patriot Act and card network rules.
"There's also a reputation check. With the new factors, we found someone who had ties to white supremacist organization," Anderson said. "Most of the existing onboarding checks didn't find that."
Conformance uses the cloud, and distributes its content through resellers and corporate aggregators. That lowers operating costs, giving the company a foothold in small to medium sized businesses, where 300,000 clients globally use its technology, according to Anderson, who contends Conformance's technology is discounted up to 70% off of the industry norm. And the cloud allows quick updates as standards such as PCI change, Anderson said.
A discount service could enable acquirers to reach a particularly vulnerable business segment with fraud prevention for the merchant, and regulatory compliance for both the acquirer and the merchant.
Conformance is aiming below the noise that accompanies data breaches and compliance. Names such as Intercontinental, Neiman Marcus, Chipotle and GameStop are well known brands stained by well known breaches, and they are the ones drawing the most attention from the security technology sector.
"While the big merchant breaches get the headlines, for every one of those there are hundreds of small merchant breaches," said Julie Conroy, a research director at Aite Group, who adds these merchants are softer targets and because the buzz makes small merchants think breaches are a large merchant problem. "Small merchants actually are very attractive targets because cybercriminals can steal a few hundred cards from one merchant, another few from another and then batch the cards together and sell them together in a large dump in the underground web."