A study that evaluated more than 450 data breaches worldwide in 2012 underscores how important it is for merchants to carefully scrutinize their choices when aligning with a third-party technology provider, such as a credit card processing company. 

Security specialist Trustwave released its 2013 Global Security Report last week, which reported on its analysis of the rising number of cyber attacks against retailers and e-commerce websites. In fact, the study found that for the first time, the retail industry was the top target for cyber criminals in 2012, with 45 percent of breaches targeting this sector.

That was an 11 percent increase from the previous year, led in part by the climbing number of hackers looking to infiltrate e-commerce websites rather than traditional point of sale systems to retrieve valuable, sensitive cardholder data. 

Merchants were prime targets because many still aren’t following basic cyber security measures, such as developing sophisticated passwords. Trustwave found that “password1” was one of the most popular passwords being used by many retailers. Fifty percent of those attacked had similar easily-guessed passwords.

Another contributor to risk was merchants’ partnerships with third-party technology providers with insufficient security safeguards. A whopping 63 percent of data breaches could be attributed to a “bad outsourcing decision,” the company said. 

Among other suggestions, Trustwave advised merchants to seek credentials for each of their technology partners, particularly those in the payment industry. A credit card processing company that can be independently verified as being compliant with the standards established by the Payment Card Industry Security Standards Council (PCI SSC) is a stronger partner than one that offers no separate accreditation, said the company.

“The third-party evaluation process tends to be focused on costs and service level agreements (SLAs), without security being a real consideration,” John Yeo, an executive for Trustwave’s European division, told ComputerWeekly.com.