As with last year’s report, Verizon does not draw any broader conclusions from the findings, which are based on reviews performed by its consultants in the course of conducting compliance assessments. While tracing the origins of PCI back over the years to the individual card brand security initiatives, such as Visa’s Cardholder Information Security Program, for example, there appears to be an unquestioned acceptance that the PCI regime is a sensible way to approach payment information security. Essentially, the report faults the 79% majority of card-using retailers and service providers for failing to meet all DSS requirements, rather than considering the possibility that the continuing failure of such an overwhelming majority to comply suggests that the comply-at-your-expense PCI model is unrealistic. That the percentage of compliant organizations is declining in the face of increasing threats from cardholder data thieves may further indicate that PCI’s comply-or-be-fined approach is short-sighted.
Either new technology, such as chip and PIN or near-field communication, or a more education and training-based compliance regime, might be vastly preferable to the adversarial, zero-sum game that seems to dominate payment card information security today.
Following is a chart from page 10 of the report comparing the findings of the 2010 Verizon report (covering the 24 month period 2008-09 ) and the 2011 report (covering 2010), by PCI DSS requirement (note that "IROC" stands for "Initial Report of Compliance"):