based on experience of SMEs
""They usually have very limited resources and technical expertise at their disposal, and often lack the necessary tools, information and education to recover and prevent them."
Based on half-a-dozen - not many, I know, but fairly typical - small to medium businesses in the UK over the last few years, IT security is not the weakest link in their payment security chain. It's never wonderful, for reasons we all know, but compared with
a) the company that entered card details into a shared spreadsheet for processing at the end of each shift, but just in case anyone forgot it, put the spreadsheet password on the notice board;
b) the company where only two people were allowed to use the card machine so everyone else wrote things on Post-it notes;
c) the company where customers were talked through giving their card details over the phone so staff could enter details into website if customers couldnt use it ..
then in some cases the IT security is wonderful in comparison.