Weak Enforcement and Low Compliance in PCI DSS: A Comparative Security Study
For organizations handling payment card data, this paper identifies enforcement gaps in PCI DSS relative to other security frameworks, but the analysis is qualitative and incremental.
The study finds that PCI DSS compliance is low (32.4% in 2022) due to weak enforcement compared to HIPAA, NIS2, and GDPR, with sanctions orders of magnitude smaller, and recommends stronger non-monetary sanctions and an independent authority.
Although credit and debit card data continue to be a prime target for attackers, organizational adherence to the Payment Card Industry Data Security Standard (PCI DSS) remains surprisingly low. Despite prior work showing that PCI DSS can reduce card fraud, only 32.4% of organizations were fully compliant in 2022, suggesting possible deficiencies in enforcement mechanisms. This study employs a comparative analysis (qualitative and indicator-based) to examine how enforcement mechanisms relate to implementation success in PCI DSS in relation to HIPAA, NIS2, and GDPR. The analysis reveals that PCI DSS significantly lags far behind these security frameworks and that its sanctions are orders of magnitude smaller than those under GDPR and NIS2. The findings indicate a positive association between stronger, multi-modal enforcement (including public disclosure, license actions, and imprisonment) and higher implementation rates, and highlight the structural weakness of PCI DSS's bank-dependent monitoring model. Enhanced non-monetary sanctions and the creation of an independent supervisory authority are recommended to increase transparency, reduce conflicts of interest, and improve PCI DSS compliance without discouraging card acceptance.