No Organization That Has Ever Been Breached Was Fully PCI Compliant at the Time — That Sentence Should Terrify You
No organization that has ever been breached — according to years of Verizon forensics data — was fully compliant with PCI DSS at the time the breach occurred. Read that again. Not a single one. This does not mean compliance is pointless. It means that point-in-time compliance — passing an annual audit and then drifting back into non-compliant states — provides zero real protection. The standard was always designed for continuous security, not annual theater.
A payment card breach triggers a sequence that most merchants are completely unprepared for. Notification to your merchant bank or payment processor is required within 24 hours of discovery. The card brands are then notified. A PCI Forensic Investigator — at your cost — is engaged to determine how the breach occurred and whether your controls were compliant. If they were not, the liability assessment from Visa or Mastercard lands with your acquiring bank, who passes it directly to you. Fines range from $5,000 to $100,000 per month until compliance is restored, and your ability to process payments can be suspended entirely.
For a small business, that sequence is not a bad week. It is a shutdown event. The only meaningful protection is not just passing the audit — it is building the security controls that the audit is supposed to measure, and maintaining them continuously.
