Hopefully they're not retail operations with records of their customer's credit cards stored on their systems somewhere.
Most of these are *not* retail operations, no. But even the retail ops aren’t using domains and domain controllers when they’re small to medium sized.
(Which can explain where all of these exploited card numbers are coming from.)