The latest completely ambiguous security breach has sparked some debate about whether PCI is useful or not. I suppose the verdict is based more on individual expectations of success (since AFAIK there were no expectations explicitly stated by the PCI council). How many people thought passing a PCI audit meant that an organization was risk-free? If you did, then PCI failed from your perspective. Of course, you might want to go into another line of work…

There are serious cognitive biases at play when everyone gets up in arms about a single incident and condemns a regulation. (Note: I don't necessarily support the regulation, but I certainly don't think that any single incident, or even handful of incidents, is enough evidence to pass judgment.)

PCI is intended to minimize risk given some set of resources. We know risk is non-zero because the attack surface is non-zero and the threat is non-zero. That means we will have incidents over time. And the more organizations that fall under these regulations, the more incidents we'll have.

One way to evaluate the success of PCI is to compare the number of incidents from PCI-certified companies to another set of similar non-PCI-certified companies. We may find out that risk is reduced in some way, or we may find out it doesn't really matter – the risk is the same.