Though a few large merchants fail to comply with the Payment Card Industry Data Security Standard, many rely on alternative compensating controls to pass muster, according to a report by Thales Group and the Ponemon Institute.
Many large merchants also are paying an average of $225,000 a year for PCI audits, according to the report.
Only 2% of large, Tier 1 businesses fail compliance audits, and 98% pass.
However, 41% rely on temporary compensating controls to meet PCI requirements, the report said. The report, released Monday, was based on a Ponemon Institute survey of 155 qualified security assessors.
A compensating control is an alternative measure a merchant takes to achieve compliance with the standard if it is unable to comply with the requirements as written. Qualified security assessors must approve the control.
A Tier 1 merchant processes more than 6 million Visa transactions a year.
Visa Inc. requires qualified security assessors to complete annual reports on compliance for such retailers.
The average cost of an assessment for Tier 1 merchants, excluding technology, operating and staff costs, is $225,000 a year.
Ten percent of Tier 1 merchants pay $500,000 or more a year for PCI audits, according to the report.
More than half of surveyed qualified security assessors' merchant clients, 54%, find compliance with the standard too costly, while 20% are satisfied with compliance costs, the report said.
If the assessors were unable to approve compensating controls and had to adhere strictly to guidelines, "there would be a lot more failures reported," said Larry Ponemon, the Ponemon Institute's chairman and founder.
He said he was surprised by how high the percentage of merchants using compensating controls was.
"The fact that compensating controls are being made to get to compliance means organizations have a lot of gaps that need to be filled," he said.