Weak Enforcement and Low Compliance in PCI DSS: A Comparative Security Study

TL;DR

This study compares PCI DSS enforcement with other security frameworks, revealing weak sanctions and enforcement mechanisms that correlate with low compliance rates, and suggests reforms for better adherence.

Contribution

It provides a comparative analysis highlighting PCI DSS's enforcement deficiencies and proposes structural reforms to improve compliance and security.

Findings

PCI DSS compliance was only 32.4% in 2022.

Stronger enforcement correlates with higher compliance.

PCI DSS sanctions are much weaker than GDPR and NIS2.

Abstract

Although credit and debit card data continue to be a prime target for attackers, organizational adherence to the Payment Card Industry Data Security Standard (PCI DSS) remains surprisingly low. Despite prior work showing that PCI DSS can reduce card fraud, only 32.4% of organizations were fully compliant in 2022, suggesting possible deficiencies in enforcement mechanisms. This study employs a comparative analysis (qualitative and indicator-based) to examine how enforcement mechanisms relate to implementation success in PCI DSS in relation to HIPAA, NIS2, and GDPR. The analysis reveals that PCI DSS significantly lags far behind these security frameworks and that its sanctions are orders of magnitude smaller than those under GDPR and NIS2. The findings indicate a positive association between stronger, multi-modal enforcement (including public disclosure, license actions, and imprisonment) and higher implementation rates, and highlight the structural weakness of PCI DSS's bank-dependent monitoring model. Enhanced non-monetary sanctions and the creation of an independent supervisory authority are recommended to increase transparency, reduce conflicts of interest, and improve PCI DSS compliance without discouraging card acceptance.