The vast majority of businesses are still failing to comply with the Payment Card Industry's data security standard, over two years after it became compulsory, according to a report.

Some 88 percent have not complied with the rule, and over half are unable to say when they will be compliant, says a survey by security management software vendor NetIQ.

The PCI DSS standard concerns security management, policies, procedures, network architecture, software design and other protection measures.

Many companies were set to be left even further behind, NetIQ said, because on 30 June version 6.6 of the rule will come into place, concerning new security measures to protect web applications. All merchants accepting payment card transactions will be expected to either use a specialized firewall or have completed a web application software code review for finding and fixing vulnerabilities.

Europe is behind the US in DSI compliance, where a similar NetIQ survey showed nearly twice the proportion of companies were compliant, at 23 percent.

But, according to the European survey of 65 IT managers, firms found that the road to compliance was complex. Nearly half had been working for over six months to become compliant. Some 93 percent felt fines would either not typically be issued, or exceptions would be made.

Adam Evans, senior security specialist at NetIQ, said compliance required "a significant long-term commitment of resources," but warned that the cost of a security breach and reputational damage "could be far greater."