The only other concern (besides pseudo-risk) I have with Verizon's Data Breach Investigations Report is how they present the percent of breaches for companies that were PCI compliant vs. not PCI-compliant. This was also a point of discussion during Metricon 3.5.

The data shows that 19% of the breaches were from companies that were PCI-compliant. This seems like a large number and may encourage folks to believe that it provides evidence that PCI doesn't work. The report itself doesn't say this, but it may be inferred from the data.

Once again, we have a base rate problem. The interesting data here would be to compare the ratio of breached/total PCI compliant companies to breached/total non-PCI compliant companies. So, for example, if 19 PCI-compliant companies were breached out of, say 2 million, then that is a pretty good effectiveness ratio. And if we compared it to 81 non-PCI companies out of, say 1 million, then it would be an interesting point in favor of PCI. Of course, since we are working hypotheticals here it is easy to imagine a scenario that is exactly the opposite here.

In any case, the report data does nothing to support nor refute the effectiveness of PCI compliance.