"Companies that grew up in the cloud or e-commerce know that their crown jewels are the customer billing data, so from day one they protected that," said Pescatore. Companies that have shifted from being a software seller to a subscription provider, Pescatore said, don't have that in their DNA. Yet.
The PCI standards, said all three, are simply a baseline, but they're not enough. "PCI are the bare minimum," said Pingree. "Companies with large numbers of credit cards do need to go beyond where most firms go because it's always a big deal when a couple million credit cards go wild."
Even if the hit is mostly from negative publicity, said Wisnieswki.
Wall Street, however, essentially yawned: While Adobe's stock price dropped 1.4% last Thursday, on Friday it rebounded, closing to two cents under Thursday's opening price.
But Pescatore is not a Wall Street analyst, and had harsher words for Adobe and other companies that, while they admitted breaches, said virtually nothing of what they would do to make sure it didn't happen again.
"We will work aggressively to prevent these types of events from occurring in the future," said Adobe in a Thursday blog post.
"I think we're beyond the point where these disclosures are valuable," said Pescatore. "Companies need to tell us why the breach happened and why it's not going to happen again. When a hamburger joint says rat meat was found in a customer's burger, it's not enough to just tell all the customers, 'Hey, we found rat meat.' What you want to hear is why it won't be in your burger if you go there again.
"[The Adobe hack] is like thieves breaking into a rat-burger company and stealing the personal information of everyone who bought the rat-burgers," Pescatore concluded.
Unappetizing. But then, so is the prospect of pouring over credit card statements and changing who knows how many account credentials..
Sign up for CIO Asia eNewsletters.