2019 Breach Level Stats


Average cost of a data breach in the U.S.


Average cost per lost or stolen record

280 days

Average time to identify and contain a data breach


Breaches with customer Personally Identifiable Information (PII)

Merchants Without PCI-validated P2PE

Merchants who store, process, or transmit cardholder data are subject to the PCI-DSS requirements. Transaction volume and payment acceptance method(s) dictate ROC or Self Assessment Questionnaire (SAQ) A-D applicability. A host of controls are applicable in ROCs and SAQs, including firewalls, SIEM, SAQ compliance assessments, ASV Vulnerability Scans, Penetration Testing and more.

P2PE Non-Validated

Merchants With PCI-validated P2PE

When a merchant adopts a PCI-validated P2PE solution, it effectively devalues the data so that typical security controls are no longer needed. Only merchants utilizing validated P2PE Solutions realize scope to the 33 controls within the P2PE SAQ.

PCI-Validated P2PE Bluefin