The new data is in. When I presented for the PCI Security Alliance and SafeNet at RSA in 2009 I used breach data in datalossdb.org to show that PCI DSS was working and we could prove it.

The following two reports explain this trend in much greater detail. I will handle them individually later, but for now here are a couple highlights:

Verizon has posted the “2011 Data Breach Investigations Report”

After four years of increasing losses culminating in 2008’s record-setting 361 million, we speculated whether 2009’s drop to 144 million was a fluke or a sign of things to come. 2010’s total of less than four million compromised records seems to suggest it was a sign.

Imperva has posted “PCI’s Impact on Security Quantified”

PCI is very effective in reducing breaches but it seems many companies don’t believe it.