That story, In Data Leaks, Culprits Often Are Mom, Pop, by Robin Sidel, points out that:

Smaller shops have proven ill-prepared for the complexities of safeguarding credit-card information. Since 2005, more than 80% of the instances of unauthorized access to card data have involved small merchants, according to Visa USA Inc., the largest payment-card network. These businesses account for 85% of the seven million locations nationwide that accept plastic, according to Visa.

The first story, about Citibank, describes how an employee loaded Citibank data onto her own computer containing the P2P software (or, loaded personal peer-to-peer software onto a Citibank computer, more likely the former). Either way, the P2P software allowed everyone on the network to access her entire hard drive, including the detailed personal dossiers. Companies cannot simply tell employees their rules, they must audit and verify that their practices are being complied with. And the rules themselves must be robust. The notion that so much confidential data can be placed on a personal computer and left unencrypted and available to a P2P network suggests that Citi's rules weren't that well-thought out to begin with.

Similarly, as discussed in the second story, credit card companies and networks cannot simply blame small merchants for not complying with their complex data protection and retention standards, known as PCI. The card networks and their third party processors are in such a rush to expand their business that they probably simply put a sentence in a one-page contract that tells prospective merchant payment card accepters to go online and read hundreds of pages of rules. That means that the breaches are not entirely the small firm's fault. As the story by Robin Sidel explains:

Many small merchants aren't even aware that the rules exist. These store owners "are provided with no information and, sometimes, with erroneous information," says Anita Boomstein, a lawyer at Hughes Hubbard & Reed LLP who represents small merchants.

The story goes on to say that:

Consumers typically aren't liable for fraudulent purchases on their credit cards, but the theft of card data can still create big headaches, particularly if the information is used to create a fake identity. Industry experts recommend that cardholders scour their account statements regularly and report irregularities as soon as they are spotted.

Consumers should understand, however, that while their credit card fraud liability is low by law, their debit card liability can be much higher, according to law, despite the bank's revocable promises of zero liability. Plus, it is your own money, stolen from your own checking account, that you're fighting with the bank to get back. Our best advice-- never use debit cards-- either online or in person, at big merchants or small. While many of these breaches may occur at small merchants, just one breach at a big merchant, TJX Marshalls, resulted in the loss of 45 million debit and credit card numbers. It isn't worth the risk. Fact sheet.