Visa released to the public just a couple weeks ago a report on common vulnerabilities found in U.S. Small Merchants. Not exactly a short list. The could have at least put it in order of the PCI DSS Requirements:

• SQL injection
• Misconfigured web applications
• Lack of segmentation between cardholder data environment
• No firewall configuration
• Insecure remote management access
• Use of RDP/Terminal services on internal network
• Packet sniffers
• Keyloggers
• Backdoors
• Excessive permissions
• Use of shared, default credentials or common passwords
• Administrative accounts not protected
• Databases not hardened
• Unauthorized user ability to modify applications (troubleshoot, capture full track data, use risky protocols)
• Reliance on 3rd party service providers for POS installation and management

The report also details the U.S. Contact/Contactless Acceleration Plan and the 2012 “PCI validation relief for merchants that adopt dual-interface terminals”.