The study took a look, one-by-one, at how well businesses did complying with each of the 12 PCI requirements during the initial report. They did best at restricting access to data on a need-to-know basis, with 75% compliance initially. A close second with 72% went to encrypting sensitive data across public networks. Using and updating antivirus software was third at 64%.

Businesses did worst at regularly testing security systems and processes with a score of 37%. Coming in second was maintaining an information security policy at 39%, and third was protecting stored data at 42%.

The study also considered compliance requirement-by-requirement in organizations being assessed after a data breach. Only 19% of those suffering a data breach met requirements for regularly testing security systems and processes and for maintaining an information security policy. Only 21% complied with protecting stored data. The requirement that was met least by breached companies was tracking and monitoring access to network resources and cardholder data at 11%.

The top four successful threat actions that resulted in data breaches were sending data to external sites, backdoors allowing remote access or control, exploiting guessable credentials and exploiting backdoor or command-and-control channels.