I was just going down the path of looking for PCI numbers to follow up on my post about the Verizon DBIR Report and PCI Compliance, when, lo and behold, they come from the heavens (thanks, New School!). So, now we know that 362, 702, and 2634 Level 1, 2, and 3 merchants respectively. And essentially all of them are PCI certified.
In my previous post, I wrote:
say 2 million, then that is a pretty good effectiveness ratio. And if
we compared it to 81 non-PCI companies out of, say 1 million, then it
would be an interesting point in favor of PCI. Of course, since we are
working hypotheticals here it is easy to imagine a scenario that is
exactly the opposite here.
We don't have Level 4 Merchant numbers*, which some accounts I've read suggest number in the millions, but it seems unlikely to me that Verizon would be called into shops that small (this is a bigger assumption than I like, but there it is nonetheless). At least we can create a better example with the numbers. So, 17 of the 90 companies (19%) that Verizon worked at claimed to be PCI Compliant. Using the Level 1-3 numbers, that means 17 out of 3,700 PCI compliant companies were compromised, for a success rate of 99.54%.
We can now suggest that PCI is "working" if the success rate for non-PCI-compliant companies is lower than 99.54%. We don't really have a good way for determining a comparable population of companies in this group, but we can find the equivalent population size and infer from there. To have the same success rate, the 73 remaining cases must be part of a comparable group of about 16,000 non-pci-compliant companies.
Here is where it would help to have a better sense for the number of companies at various revenue levels, but I don't have quick access to them, so you have to decide for yourself whether the comparable population is greater than 16,000, in which case PCI is not working, or less than 16,000, in which case PCI may be working.
Anyone want to offer an opinion?
* There are a lot of caveats here, but this is just a thought exercise anyway.
Because PCI is meant to protect data and not companies, the success of PCI should be measured based on the amount of data lost.