Today, Verizon released its Verizon 2010 Payment Card Industry Compliance Report which I had the pleasure of working on. One of the most interesting things in my opinion is the PCI 80/20 Rule. The broad results of the report show that approximately 80% of companies fail to pass the initial PCI audit. In addition, we know that the average score is right around 80%, or that they miss 20% of the controls and this causes them to fail.
So, the PCI 80/20 Rule:
80% of companies that are required to be PCI compliant miss 20% of the controls.
The implications of this finding is significant as it further defines the marginal cost of compliance. If companies on average start out already meeting 80% of the controls, then that last 20% of controls bears the actual costs associated with the audits, because the first 80% were being done beforehand.
Go get the report and let me know what you think!