The vast majority of businesses are still failing to comply with the Payment Card Industry’s data security standard, over two years after it became compulsory, according to a report.

Some 88 per cent have not complied with the rule, and over half are unable to say when they will be compliant, says a survey by security management software vendor NetIQ.

The PCI DSS standard concerns security management, policies, procedures, network architecture, software design and other protection measures.

Many companies were set to be left even further behind, NetIQ said, because on 30 June version 6.6 of the rule will come into place, concerning new security measures to protect web applications. All merchants accepting payment card transactions will be expected to either use a specialised firewall or have completed a web application software code review for finding and fixing vulnerabilities.

Europe is behind the US in DSI compliance, where a similar NetIQ survey showed nearly twice the proportion of companies were compliant, at 23 per cent.

But, according to the European survey of 65 IT managers, firms found that the road to compliance was complex. Nearly half had been working for over six months to become compliant. Some 93 per cent felt fines would either not typically be issued, or exceptions would be made.

Adam Evans, senior security specialist at NetIQ, said compliance required “a significant long-term commitment of resources”, but warned that the cost of a security breach and reputational damage “could be far greater”.

Related stories:

Payments firm rolls out analytics tool for PCI security compliance