New Survey shows lower PCI DSS compliance rates…

The Ponemon Institute has a new survey capturing the adoption and compliance posture as it relates to PCI DSS.  Lots of interesting figures, and a surprising (apparent) decline in broad adoption based on figures provided previously.

only 28 percent of companies with between 501 and 1,000 employees said they were in full compliance with PCI DSS, according to a study by Imperva, a data security software vendor and the Ponemon Institute, an independent research firm.  Moreover, only 70 of the country’s largest corporations (75,000-plus employees) are in full compliance of PCI DSS.”

Find the article referenced above here

Thoughts on the shift in compliance?  Challenges to the survey?


2 responses to “New Survey shows lower PCI DSS compliance rates…

  1. As a medium size business owner, I feel like I’m getting nailed at both ends. If I don’t accept credit cards, customers look at me like I am back in the stone age. If I accept credit cards, the bank and credit card processors put me through the enormous cost of PCI compliance. Because the POS software I use is not PCI compliant, I have to answer to the SAQ D, and I cannot change that without another VP’s approval.

    One way you all might help is to make the PCI DSS public to people who are not in IT security. My CEO is not going to think it is worth the time and expense until he is scared into thinking it is worthwhile. If the public were better informed, maybe they would only shop at vendors who were PCI compliant. That, too, might get the CEO & Marketing VP’s attention. Face it, security is an unfunded mandate, and until you hit the CEO in the gut with it, there will never be enough budget for people and systems.

  2. Maybe the most common reason not to implement PCIDSS is it’s complexity and non-similarity to well-known technical standards like CIS and so on, that leads to misunderstanding the whole PCIDSS.
    Recently, I participated in implementation of PCIDSS auditing scripts included into MaxPatrol ( for RHEL 4, 5, 6 beta (by the example of FC12).
    As a result of the research, some recommendations (our reading of the matter) were derived. You can find them at
    Hereafter, the whole cycle will be published.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s