Payment card breaches continue to surface across industries, even after years of investment in security standards. A new study links this pattern to enforcement, showing that PCI DSS compliance trails behind HIPAA, GDPR, and the EU’s NIS2 Directive.
A compliance gap that keeps widening
The authors report that only about 32% of organizations met all PCI DSS requirements in 2022. That figure comes from industry reporting and represents the most recent stable data point before the rollout of PCI DSS version 4.0 in 2023. Earlier years showed higher adoption, followed by a steady decline after 2020.
The study places this number alongside higher rates for other frameworks. HIPAA reached an estimated 92% implementation rate in 2022. GDPR stood at roughly 87%. NIS2, which EU member states were required to transpose into national law by October 2024, is projected to reach around 70% adoption by the end of 2025.
Who enforces the rules matters
PCI DSS is maintained by the PCI Security Standards Council, which has no legal authority. Enforcement falls largely to acquiring banks through contractual relationships with merchants.
These banks review compliance and apply penalties while maintaining commercial relationships with the same organizations. This structure limits independent oversight and reduces the likelihood of escalation.
HIPAA, GDPR, and NIS2 rely on public authorities. HIPAA enforcement sits with the Department of Health and Human Services, with support from the Department of Justice. GDPR requires independent data protection authorities in each EU member state. NIS2 assigns oversight to national regulators with coordination from EU level bodies.
These authorities can investigate complaints, order corrective actions, and apply sanctions without commercial ties to the organizations they regulate.
Penalties send signals
Financial penalties vary widely across the frameworks. PCI DSS penalties typically range from $5,000 to $100,000 per month, with a reported maximum of about $1.2 million per year. The study compares that figure to penalties under other regimes using a large enterprise revenue benchmark.
Under HIPAA, annual penalties can reach about $2.1 million per violation category, with multiple categories applying in a single case. NIS2 allows fines up to €10 million or 2% of global turnover. GDPR permits penalties up to €20 million or 4% of global turnover.
When expressed as business impact, PCI DSS penalties amount to less than 0.001% of revenue for a large organization. GDPR penalties reach several percentage points. Higher penalty ceilings align with improved compliance outcomes.
Enforcement design shapes outcomes
Stronger authority behind PCI DSS enforcement would support higher adoption. Oversight bodies need more precise guidance for situations where requirements are open to interpretation, along with greater power to act on violations.
Enforcement mechanisms that extend beyond monetary fines also influence compliance. Large fines can affect card acceptance decisions, particularly for smaller organizations. Additional measures that influence market behavior create sustained pressure to invest in compliance programs.
One option involves increasing market pressure through transparency. Public disclosure of PCI DSS compliance status would allow cardholders and business partners to factor security posture into their decisions. Revenue impact would follow customer response to published compliance information. An independent authority could manage disclosures, oversee violation assessments, and resolve ambiguous cases before further action.