Merchants that struggle to pay for breach-related costs might get some help from their merchant acquirers.

Some acquirers are using a portion of their Payment Card Industry data security compliance program fees to build up a fund to help breached merchants, according to Wenlock Free, vice president of business development at SecurityMetrics Inc., an Orem, Utah, payments security vendor.

Not all acquirers have this feature, but those that do use it "in the event of a data breach to help merchants who have done all they can but need a little help from their acquirers to stay in business," Free said, noting the practice has been around since 2006 but only through "select organizations."

A merchant might pay $8,000 or more for a forensic audit that determines how a breach occurred, Free said, and bigger attacks often carry higher price tags.

"I have heard some acquirers are using revenue generated by PCI-compliance fees to cover some breach costs" at their merchant clients, said David Fish, senior analyst at Mercator Advisory Group Inc.