Verizon PCI Report: the PCI 80/20 Rule

Today, Verizon released its Verizon 2010 Payment Card Industry Compliance Report which I had the pleasure of working on. One of the most interesting things in my opinion is the PCI 80/20 Rule. The broad results of the report show that approximately 80% of companies fail to pass the initial PCI audit. In addition, we know that the average score is right around 80%, or that they miss 20% of the controls and this causes them to fail.

So, the PCI 80/20 Rule:

80% of companies that are required to be PCI compliant miss 20% of the controls.

The implications of this finding is significant as it further defines the marginal cost of compliance. If companies on average start out already meeting 80% of the controls, then that last 20% of controls bears the actual costs associated with the audits, because the first 80% were being done beforehand.

Go get the report and let me know what you think!

Related Posts:

Is PCI Working?

1 comment for “Verizon PCI Report: the PCI 80/20 Rule

  1. Wade Baker
    October 7, 2010 at 10:00 pm

    Hey Pete,

    As you know we talked a decent amount about this during the analysis. I find the 80/20 split very interesting. The 80/20 rule has show up not only in the annual PCI assessments as you discuss but that’s the same ratio we find when doing a post-breach PCI assessments as well (except it’s reverse).

    I’d like to know if the rule could be applied to effectiveness within the DSS. ie, do 20% of the controls provide 80% of the security value of the DSS? One day I’ll find some time to study that one a bit more…

Comments are closed.