Making the security news rounds this week is the Verizon Payment Card Industry Compliance Report that states companies that aren't in compliance with PCI are 50 percent more likely to suffer a data breach than companies in compliance.
The report stated also that while companies may not be totally compliant, they are meeting the majority of requirements. In addition:
There is a correlation between data breaches and the difficulties companies face in complying with certain PCI requirements. Of the 12 requirements that comprise the PCI DSS, three of them-protect stored data, track and monitor access to network resources and cardholder data, and regularly test security systems and processes-cover areas that are most vulnerable to security breaches, according to the DBIR. However, those three requirements are also the same ones that companies struggle the most to meet for PCI compliance.
The articles I've read focus on the 50 percent stat, but I think there is a lot more happening. One, companies may have been slow on the ball at first, but they are doing something. Two, security issues run much deeper than simply meeting PCI compliance.
As was written in the Uncommon Sense Security blog:
[S]ome of the report was apparently written by myopic PCI cheerleaders. A lack of overall understanding of the security landscape, and the occasional straw man may make you want to stop reading before you get far-but don't give up, there is much more good than bad, just keep your reality-distortion shields up and you will learn from the report. You can also learn from the mistakes of others, which is not as visceral as learning from your own mistakes but is much less painful.