We’ve been watching the PCI compliance space closely, and honestly? Something doesn’t add up. Companies are pouring billions into compliance software, $3.81 billion by 2035, to be precise, but 86% of breaches still trace back to skills gaps, not missing tools.
After analyzing fresh data from Fortinet, ISC2, and the PCI Security Standards Council, we uncovered a troubling pattern: the more organizations spend on automation, the less they invest in the humans who actually need to understand security.
THREE SURPRISING FINDINGS
1. 92% Want Training – But Boards Won’t Fund It A record-high 92% of organizations say they’ll pay for AI and cybersecurity certifications, up sharply from 73% the prior year. Yet we found a 14-point gap between boards that verbally prioritize security and those that actually allocate budget. The willingness exists. The follow-through doesn’t.
2. Five Breaches in a Year Isn’t Bad Luck – It’s a Pattern According to Fortinet’s 2026 report, 29% of organizations suffered five or more skills-related attacks in a single year. That’s not a string of unfortunate incidents. That’s a broken security culture, and compliance software logs the failures but can’t fix the mindset behind them.
3. AI Won’t Save You If Nobody Knows How It Works Fortinet found that 91% of organizations are using AI-enabled security tools, and 84% say AI makes their teams more effective. But 48% of IT decision-makers cite lack of AI expertise as their biggest implementation challenge. Teams are leaning harder on tools they don’t fully understand, and PCI auditors will notice.
KEY FINDINGS
Here’s what the data actually tells us about the state of PCI compliance and secure coding readiness:
| Finding | Statistic | Source |
| Organizations breached due to security skills gaps | 86% | Fortinet 2026 Global Cybersecurity Skills Gap Report (June 2026) |
| Organizations suffering 5+ skills-related attacks in one year | 29% | Fortinet 2026 Global Cybersecurity Skills Gap Report (June 2026) |
| Organizations reporting critical cybersecurity skills gaps (up 15% YoY) | 59% | ISC2 2025 Cybersecurity Workforce Study (December 2025) |
| Organizations that experienced consequences due to skills shortages | 88% | ISC2 2025 Cybersecurity Workforce Study (December 2025) |
| IT decision-makers citing lack of AI expertise as top challenge | 48% | Fortinet 2025 Global Skills Gap Report (2025) |
| Organizations willing to invest in AI & cybersecurity certifications | 92% | Fortinet 2026 Global Cybersecurity Skills Gap Report (June 2026) |
| Board-level prioritization vs. funding gap | 14-point delta | Fortinet 2026 Global Cybersecurity Skills Gap Report (June 2026) |
| Organizations using or experimenting with AI-enabled security | 91% | Fortinet 2026 Global Cybersecurity Skills Gap Report (June 2026) |
| Organizations saying AI makes security teams perform better | 84% | Fortinet 2026 Global Cybersecurity Skills Gap Report (June 2026) |
| Global PCI compliance software market (2026 → 2035) | $1.79B → $3.81B | Business Research Insights (April 2026) |
| PCI compliance software market CAGR (2026-2035) | 9.2% | Business Research Insights (April 2026) |
| Global application security market (2024 → 2035) | $5.64B → $12.0B | WiseGuy Reports (August 2026) |
| PCI Secure Software Standard v2.0 release date | January 15, 2026 | PCI Security Standards Council (January 2026) |
WHAT THIS MEANS FOR DEVELOPERS, CTOs, AND COMPLIANCE LEADERS
For developers, the message is straightforward: PCI DSS v4.0 and the new Secure Software Standard v2.0 make secure coding a compliance requirement, not just a best practice. Your code is now part of the audit perimeter.
For CTOs and technical leaders, the 14-point board funding gap is both a risk and an opportunity. You have the data to make the case: 86% of breaches trace to skills gaps. Training isn’t a nice-to-have. It’s a control.
For compliance and security leaders, the 48% AI expertise gap should be an immediate red flag. Your AI tools need governance, and your teams need to understand how those tools make decisions. Otherwise, you’re introducing uncontrolled variables into your compliance environment.
EXPERT QUOTE
Leon I. Hicks, security expert and contributor at Secure Coding Practices:
“We’re watching organizations spend billions on PCI compliance software, $3.81 billion by 2035, while 86% of breaches still trace directly to developer skills gaps. The new PCI Secure Software Standard v2.0 requires secure coding competence, not just tools. We’re seeing 92% of companies willing to pay for certifications, yet the real bottleneck is hands-on, developer-first training that actually changes how code gets written. That’s what we solve.”
On the board funding gap: “Boards say security is a priority but won’t write the check for training. Meanwhile, 29% of organizations suffered five or more skills-related breaches last year. The math doesn’t work. You can’t automate your way out of a skills problem.”
METHODOLOGY NOTE
Our analysis synthesizes primary research from Fortinet’s 2025 and 2026 Global Cybersecurity Skills Gap Reports, ISC2’s 2025 Cybersecurity Workforce Study (16,029 respondents globally), PCI Security Standards Council official documentation, and market size projections from Business Research Insights and WiseGuy Reports. All statistics reflect the most recent available data as of June 2026.
READ THE COMPLETE ANALYSIS
We’ve published the full research breakdown with methodology details, visual data representations, and actionable recommendations for development teams.
Read the complete analysis with full methodology on our blog → PCI Compliance Software Faces a Training Gap
Explore our secure coding bootcamp for development teams
MEDIA CONTACT
Secure Coding Practices info@securecodingpractices.com +1 (518) 813-2007 188 Elk Rd Little, Albany, New York 12207