The PCI Security Standards Council has called on merchants to support its push for stronger password controls.
"Small merchants are prime targets for data thieves. It's your job to protect cardholder data at the point of sale," it warns businesses.
"If cardholder data is stolen - and it's your fault - you could incur fines, penalties, even termination of the right to accept payment cards."
In order to avoid this, firms must provide proper password controls and systems, and back the plan by standing up as leaders in the Passwords for Purchases programme.
"Hacking easily guessed or weak passwords on payment systems is one of the leading methods criminals use to steal valuable credit and debit card information from small businesses today," said Bob Russo, general manager at the PCI SSC.
"Yet, the majority of these companies don't even know there's a password on these systems, let alone where to find it or how to change it.
"Payment security is a shared responsibility. We need everyone to help educate the small business, and that's the main driver behind the Passwords for Purchases initiative."
Passwords and their protection have been big news this year, and firms including eBay, Target and others have admitted to, and dealt with, problems.
The PCI SSC will be looking to spare other companies this trouble and wants to recruit 50 password ambassadors for an advice coalition that will come into being in July.
The PCI SSC urges merchants to insist that users have passwords that are seven digits long and include a mix of letters and numbers.
Connexin drops out of Ofcom auction due to start next week
SwiftKey users now send two billion emoji every week
Recruitment plans are 'most ambitious ever', claims Openreach HR director Kevin Brady
Samsung's under-the-hood improvements separate the S9 from the pack when it comes to the display