Empirical evidence of the past 2 years suggests that compliance focuses on meeting auditor requirements instead of assuring actual security of your systems and customer data assets.    Here’s an interesting interview with Chris Nickerson who is billed by SearchSecurity.com as “your worst nightmare. He’s the guy you never see coming, the one who can slip into your data center, install malware on any server he chooses and ease back out without so much as a shadow on your security cameras”.

Newspaper hype aside – Nick had an important insight on PCI compliance:

You might be compliant, but if your system is compromised, you’re going home without a paycheck. People err on the side of compliance versus security.