Although credit and debit card data continue to be a prime target for attackers, organizational adherence to the Payment Card Industry Data Security Standard (PCI DSS) remains surprisingly low. Despite prior work showing that PCI DSS can reduce card fraud, only 32.4% of organizations were fully compliant in 2022, suggesting possible deficiencies in enforcement mechanisms. This study employs a comparative analysis (qualitative and indicator-based) to examine how enforcement mechanisms relate to implementation success in PCI DSS in relation to HIPAA, NIS2, and GDPR. The analysis reveals that PCI DSS significantly lags far behind these security frameworks and that its sanctions are orders of magnitude smaller than those under GDPR and NIS2. The findings indicate a positive association between stronger, multi-modal enforcement (including public disclosure, license actions, and imprisonment) and higher implementation rates, and highlight the structural weakness of PCI DSS's bank-dependent monitoring model. Enhanced non-monetary sanctions and the creation of an independent supervisory authority are recommended to increase transparency, reduce conflicts of interest, and improve PCI DSS compliance without discouraging card acceptance.

翻译：尽管信用卡和借记卡数据仍是攻击者的主要目标，但组织对支付卡行业数据安全标准（PCI DSS）的遵守程度仍低得惊人。尽管先前的研究表明 PCI DSS 能够减少卡片欺诈，但 2022 年仅有 32.4% 的组织完全合规，这暗示了其执行机制可能存在缺陷。本研究采用比较分析（定性与基于指标的方法），考察了 PCI DSS 的执行机制如何与其在 HIPAA、NIS2 和 GDPR 相关背景下的实施成功相关联。分析表明，PCI DSS 显著落后于这些安全框架，其制裁力度比 GDPR 和 NIS2 下的制裁低数个数量级。研究结果表明，更强有力、多模式的执行（包括公开披露、许可证行动和监禁）与更高的实施率之间存在正相关，并凸显了 PCI DSS 依赖银行的监控模式存在结构性弱点。建议加强非货币性制裁并建立一个独立的监管机构，以提高透明度、减少利益冲突，并在不阻碍卡片受理的情况下改善 PCI DSS 的合规性。