Many merchants want to believe that if they become PCI compliant that they will magically become immune to any sort of breach, theft, or cyber attack against them. For numerous reasons, this is just not the case.
To begin with, validating (or becoming) PCI compliance is a snapshot in time. Too many people see this as a once a year event. When you sit down with the Self-Assessment Questionnaire (SAQ) and check off “yes” on all the questions because you have the proper security in place, you are only looking at your environment at that moment. Once your attention is focused on other aspects of your business, does someone else in your organization do something that violates PCI? You only fill out your SAQ once a year, but a breach can happen at any time. Are you constantly monitoring your security to make sure that you remain PCI compliant even after your SAQ is completed? Just because you were compliant when you filled out your SAQ does not mean that you remained compliant after someone made a change to your systems.
Furthermore, PCI compliance was never intended to guarantee that all credit card thefts would be eliminated. The standard was created for merchants who take credit cards so that they would know the minimum security that all the credit card companies require of them if they wish to accept credit cards for payments. As new threats are discovered, the PCI standards change to address them, but it is hardly real-time.
Following in that vein, some merchants find it challenging to meet the burdens of PCI as it is. Unfortunately, the measures that they are putting in place if they do nothing surpassing the standard are the minimums required so that they can still take credit cards. With this in mind, it is easy to see why those merchants on the other end of the spectrum who choose to ignore PCI are such easy targets. They have not even put the bare essentials of a security program into place.
As a security standard, PCI has helped countless merchants put security into place when before there was little attention paid to sensitive data. In many cases, out dated historical data (with full payment information) was stored without any business justification. Now organizations work hard to eliminate that data as part of their compliance efforts. Security is on the minds of merchants, and PCI has helped to close many of the major gaps merchants used to have that made getting their data painfully easy. PCI is not fool proof, nor should we expect it to be. PCI is a foundation for good security, and it is sufficient to prevent most theft attempts. If you want to be absolutely protected from every criminal enterprise who might want to steal your data, then you will have to go beyond PCI, or eliminate all sensitive data from your environment completely.