There has been a raging public debate about how many records were stolen at Best Western. Was it 10 to 12 users' records as claimed by Best Western or was it 8 million as reported in the Scottish Herald? What should we believe about the claimed potential loss calculation of £2.84bn ($5.68bn)?
Best Western was compliant with the PCI DSS -- but how was this achieved? Were they considered a single organization processing 6 million or more credit cards per year putting them in the Level One band requiring quarterly assessments or are they operated like a set of franchises where each hotel is treated as a single PCI entity of less than 6 million credit cards per year (putting them into the annual assessment band of Level Two)?
The reality is that PCI DSS compliance provides a low bar for computer security. Don't get me wrong -- it is far better than nothing, but the threats and technology move at a frantic pace. The prescriptive compliance standards do not change fast enough to keep up with attackers.
Data security is about complete control of data. With a strong security system in place Best Western will know what data assets were compromised -- 10 or 8 million.