Merchants were responsible for detecting fraud-related data breaches in only seven percent of cases, according to numbers crunched by digital forensics company Klein and Co.
Acquiring banks discovered the lion's share data breaches, which equated to about 40 percent of the total reported incidents.
About a quarter of the breaches were noticed and reported by rival banks.
The low detection rate of merchants was due to both the sophisticated fraud detection systems in place at banks, and often shonky security practices in the breached organisations.
"Many businesses don't check their logs or traffic," director Nick Klein said. "Much of the threat is from insiders, and even big businesses will have bad security and their sensitive information will be sold elsewhere."
Many external attacks can be detected by abnomalities in traffic, but this requires an understanding of regular traffic flows.
Administrators should know where vistors came from and what areas of a web site they accessed.
"Know your customer, know your logs," Klein said. "The kinds of activity visitors are doing should be consistent with what a site does."
Logs would reveal IP addresses from locations that do not match the demongraphic of visitors, and this should be taken as a red flag, Klein said.
"Almost all of the attacks come from overseas. You'll get a feel for it and you'll see the patterns of activity in your logs."
Klein said attackers typically do not cover their tracks.
One flag to look for is automated script, a potential sign of attack that runs faster than script inputted by a user. The two are often used in concert.
Of external attacks that resulted in data breaches, SQL injection was responsible for 31 percent of cases. Malware was fingered in 23 percent of the breaches and stolen adminstrative credentials were identitfied in 18 percent of cases.
Broadly, the detection of breaches was more difficult in rarer attack vectors.
SQL injection was also the most popular method of exfiltrating data. The methods could not be unconfirmed in about a quarter of cases, and access to administrative functions was blamed for 10 percent of breaches.
"In an office, only a few people would normally have admin rights, so you should give them their own unique access IDs and lock the accounts down," Klein said.
Klien said there was "no clear pattern" to determine what businesses are the most vulnerable, however fraudsters tended to target less high-profile businesses.