According to Verizon’s 2009 Data Breach Investigations Report, 19 percent of organizations breached were PCI compliant. In the news, we hear too regularly how another PCI compliant organization was breached. This begs the question, “what’s wrong with PCI” or “how can we fix PCI”. Attributing breaches to failures in PCI is a common but misguided conclusion. Faulting PCI for every breach is like faulting auto safety devices to every auto fatality. Auto makers can’t possibly anticipate every threat and corresponding countermeasure and neither can PCI.
