2011 Payment Card Industry Compliance Report by Verizon once again indicates widespread non-compliance with the Payment Card Industry (“PCI”) Data Security Standards. Only 21% of organizations were compliant at the time of their initial assessment, essentially the same as last year. Organizations are also failing to prioritize their compliance efforts in the manner recommended by the PCI DSS Prioritized Approach, and in fact are showing less progress on this measure than last year. Suggesting PCI compliance is not futile, Verizon also reports that the top threat actions leading to data compromise are covered by multiple layers of PCI controls and that organizations that suffer breaches are less likely to be compliant than the average organization.

As with last year’s report, Verizon does not draw any broader conclusions from the findings, which are based on reviews performed by its consultants in the course of conducting compliance assessments. While tracing the origins of PCI back over the years to the individual card brand security initiatives, such as Visa’s Cardholder Information Security Program, for example, there appears to be an unquestioned acceptance that the PCI regime is a sensible way to approach payment information security. Essentially, the report faults the 79% majority of card-using retailers and service providers for failing to meet all DSS requirements, rather than considering the possibility that the continuing failure of such an overwhelming majority to comply suggests that the comply-at-your-expense PCI model is unrealistic.  That the percentage of compliant organizations is declining in the face of increasing threats from cardholder data thieves may further indicate that PCI’s comply-or-be-fined approach is short-sighted.

Either new technology, such as chip and PIN or near-field communication, or a more education and training-based compliance regime, might be vastly preferable to the adversarial, zero-sum game that seems to dominate payment card information security today.

Following is a chart from page 10 of the report comparing the findings of the 2010 Verizon report (covering the 24 month period 2008-09 ) and the 2011 report (covering 2010), by PCI DSS requirement (note that "IROC" stands for "Initial Report of Compliance"):