While U.S. banks and credit unions scramble to connect the dots in the suspected payment card breach at building-supply retailer Home Depot, experts say more financial institutions are taking proactive steps to help merchants mitigate their risk of cyber-attacks.

2014 Fraud Summits - Fraud Ecosystem, Insider Fraud Detection, Synthetic Identities, Fraud Investigations, and more...View Agenda >

Over the last nine months, calls for stronger card security have been fueled by retail POS breaches suffered at Target Corp., Neiman Marcus, P.F. Chang's, SuperValu and, most recently, Goodwill Industries.

By educating merchants about compliance with the Payment Card Industry Data Security Standard, or, in some cases, even providing network security services to their merchant customers, banking institutions are playing a more aggressive role in ensuring card fraud associated with point-of-sale attacks is contained.

"Security is hard, and security experts are hard to find," says Josh Shaul, vice president of product management at forensics firm Trustwave, which last month discovered the retail POS malware known as Backoff.

"Most security experts work for banks, so banks are in better positions than retailers to focus on security," Shaul adds. "A bank could offer their own managed services to their merchants or run a managed services offer through a partner provider and then audit that firm to make sure they are using best-of-breed services."

Banking institutions that serve as merchant acquirers are increasingly realizing they benefit from stronger retail security, Shaul says.

"We see a lot of our banking clients taking on pretty increased scrutiny of security for the merchants they work with," he adds. "It goes beyond just complying with the minimum standards. Banks are pushing their merchants to do more."

In the past, breached or non-PCI-compliant merchants were merely fined by their acquiring banks, but those merchants were still allowed to conduct payments. Today, more banks understand that it's more beneficial to have merchants use the money they would have historically paid in fines to invest in advanced security and anomaly detection instead, Shaul says.

"Banks see that those fines are not as meaningful anymore," he explains. "So rather than just having those [merchant] clients pay a fee, it would be better to dump that money into security training and security services. We are seeing that shift happen. And the real momentum behind it is that these banks are taking revenue out of their own pockets to say 'We want you to invest in security.'"

Helping merchants with PCI compliance also is a best practice recommended by Visa. Visa says acquirers should continue to review and scrutinize merchants for issues in audit scoping and security vulnerabilities. Educating merchants about the latest POS attack vectors and mitigation strategies is something all acquirers should be doing, Visa points out on its website.

Breaches: Impact on Banks

In the wake of these breaches, leading banks have stepped in to help shore up security with their merchant customers, says Bryan Sartin, a director of the RISK team at Verizon Enterprise Solutions, which specializes in breach investigations.

"If they support a business's ability to accept payment card transactions, then they should be doing more to ensure they are validating PCI compliance and making sure that those businesses have reasonable and effective counter measures in place to ensure security," Sartin says. "Getting compliant is one thing. Staying compliant is another."