Today, Verizon released its Verizon 2010 Payment Card Industry Compliance Report which I had the pleasure of working on. One of the most interesting things in my opinion is the PCI 80/20 Rule. The broad results of the report show that approximately 80% of companies fail to pass the initial PCI audit. In addition, we know that the average score is right around 80%, or that they miss 20% of the controls and this causes them to fail.
So, the PCI 80/20 Rule:
80% of companies that are required to be PCI compliant miss 20% of the controls.
The implications of this finding is significant as it further defines the marginal cost of compliance. If companies on average start out already meeting 80% of the controls, then that last 20% of controls bears the actual costs associated with the audits, because the first 80% were being done beforehand.
Go get the report and let me know what you think!
Related Posts:
Hey Pete,
As you know we talked a decent amount about this during the analysis. I find the 80/20 split very interesting. The 80/20 rule has show up not only in the annual PCI assessments as you discuss but that’s the same ratio we find when doing a post-breach PCI assessments as well (except it’s reverse).
I’d like to know if the rule could be applied to effectiveness within the DSS. ie, do 20% of the controls provide 80% of the security value of the DSS? One day I’ll find some time to study that one a bit more…