Small businesses in UK battling wave of card breaches, says Worldpay

Malware and SQL injection hacks still a major headache for sector


Nearly nine out of ten known UK credit and debit card breaches in 2014 were in small businesses, payments processor Worldpay has confirmed after analysing its customer base.

It’s the fourth year in a row that small firms have made up the bulk of breach investigations – numbering 140 across four years - although in 2012 and 2013 the trend had been improving.  

Worldpay divides breaches into four PCI DSS categories with small businesses (level 4) defined as any business processing fewer than 20,000 transactions per year, per card scheme. With 44 percent of the UK card processing sector, the figures are a good indication what has been going on among businesses.

In 2014, the level of breaches attributed to small businesses was 85.7 percent, with large businesses (greater than six million transactions) accounting for only a tiny percentage of breaches, the rest coming from mid-tier businesses ranging from 20,000 to one million transactions per year, per scheme. Up to last August that was equivalent to seven million credit and debit cards breached.

Examining the causes of breaches across the four years reveals a complex patchwork of problems with malicious PHP web shells, SQL injection and malware a prominent factor in 22 percent, 20.2 percent and 14.7 percent of cases respectively. In 2014, however, malware was mentioned as being a factor in a quarter of cases.

In 40 percent of cases, no single cause could be identified.

The most affected UK industries were clothing and footwear with 15.7 percent, pharmacy and beauty on 12.9 percent, and retail on 11.4 percent.

As for businesses being left out of pocket by card crime, Worldpay said it had seen 133,000 fraudulent transactions in March 2015 alone, equivalent to a stolen card being used every 20 seconds.

Worldpay has bundled these numbers into a report designed to reinforce the positive effect of improving PCI DSS compliance among UK business, which has been rising in all of the four PCI levels.

“Prevention is clearly better than the cure when it comes to getting hacked,” said Worldpay’s head of payment security, Tim Landsdale.  

“The UK’s largest companies have made great strides to improve their payment security but small businesses are still falling behind and being targeted as a result. Businesses of all shapes and sizes should be taking the necessary measures to protect themselves and their customers and employees.”

The least affected ‘level 1’ sector, large businesses, had seen a 179 percent rise in compliance with PCI DSS in the last four years, with smaller gains in Level 2, 3 and 4 businesses.

That would tend to suggest that large businesses cope better with the technical and financial demands of compliance. From theese figures, Britain's small businesses remain the soft underbelly for criminals.

"Recommended For You"

Confused companies get checklist for PCI standard compliance Up to 90% of UK companies may not comply with PCI security standards