This perhaps surprising analysis comes from a survey of Qualified Security Assessors (QSAs), which also reveals that, whilst only 2% of businesses outright fail compliance audits, 41% would fail if unable to rely on temporary compensating controls to meet Payment Card Industry Data Security Standard (PCI DSS) requirements.
The report from Thales - and carried out by the Ponemon Institute - says that these alternative routes to compliance must meet QSA approval, but they may be just temporary fixes or be eliminated by future changes to PCI DSS.
Their prevalence, says Thales, appears to indicate businesses are still coming up to the speed with the security standard, which was first introduced back in 2006.
The study - entitled `PCI DSS Trends 2010 - QSA Insights' - says that 60% of QSAs believe that encryption is the most effective means to protect card data end-to-end - from the moment it is accepted at the point-of-sale to when the transaction is authorised.
And, says the study, new technologies like tokenisation are also gaining attention of QSAs, with 35% of QSAs preferring this method for protecting cardholder data end-to-end.
The research, which was announced at RSA Conference 2010 in San Franciso, found that 81% of QSAs recommend the use of a hardware security module for encryption and key management.
HSMs are specialised devices used to make protecting and managing keys easier. To this end, 63% of QSAs said they believe that using HSMs reduce the time and money spent on compliance.
Commending on the report, Larry Ponemon, the chairman of the Ponemon Institute, said that it is the first ever to analyse PCI DSS compliance trends from the QSA perspective and reveals some very interesting information about the way organisations approach compliance and how they protect sensitive information.
"PCI DSS compliance isn't easy and it's definitely not all about any one technology or process. This study indicates a significant concern among QSAs that many merchants are primarily focused on complying with PCI and less on what should be equally important - protecting sensitive information", he explained.
Over at Thales, Franck Greverie, the firm's managing director for IT security, said that protecting customer and business data is a top priority for every organisation, but demonstrating compliance does not inherently translate into data security.
"Hopefully the results of this survey will help merchants better understand how QSAs view PCI DSS requirements and what works best to achieve compliance. Ultimately this will save merchants time and money and, most importantly, protect their business bottom line", he said.