The Federal Trade Commission gave 45 days to nine QSA companies to respond to detailed questions about how they measure compliance with the PCI DSS. The majority of the breached companies have at least one of the following points in common: Missed or incomplete PCI requirements for some part of their in-scope infrastructure. The FTC gave the QSA a deadline of 24 hours or less for critical security patches within one month of release. Even the most competent software developers fall victim to emergent business needs, fatigue or group mistakes leading to insecure code and configurations deployed to production servers.”]