Skip to main content
Security Scorecard

SecurityScorecard Releases New Research Report Finding Over 90 Percent of Retailers Missing PCI Compliance Mark

Posted on September 20th, 2018

New York, NY, September 20, 2018 - SecurityScorecard, the leader in security ratings, today announced the release of the company’s newest annual research, The 2018 SecurityScorecard Retail Cybersecurity Report. SecurityScorecard analyzed 1,444 domains in the retail industry with digital footprints of 100 or more IP addresses. The report compares the average SecurityScorecard grade of the retail industry to other vertical markets, highlights the top retail domains and includes unique retail domain information, such as percentages of malware infection discovered, reported breach data, and compliance analysis.

“This year the retail industry’s security posture fell lower than in years past, both in application security and social engineering,” said Fouad Khalil, head of compliance at SecurityScorecard. “To remain competitive, retailers are adopting new payment and digital technologies, exposing them as prime targets for cybercriminals. This report demonstrates the importance of understanding the full retail ecosystem and how the industry is faring when it comes to meeting standard compliance guidelines.”

Key Findings:

  • PCI Non-Compliance: Over 90 percent of the retail domains analyzed indicated non-compliance with PCI DSS standards.
  • Retail Industry Neglects Application Security: Out of all of the industries monitored by SecurityScorecard, the retail sector scored second to last - a significant drop from 2017.
  • Social Engineering on the Rise: The retail industry ranks last in security measures against social engineering vulnerabilities, a drop from seventh place in last year’s report.
  • Point-In-Time Compliance does not Cut it: Periodic scans for issues and vulnerabilities are not as effective against attacks as real-time monitoring.

“As organizations assess their compliance with PCI DSS, they must be able to detect, remediate and recover from any threats or vulnerabilities adding risk to unauthorized access to CDE,” continued Khalil.

SecurityScorecard continually monitors more than 200,000 businesses across the world and rates them on an easy-to-understand A-F scale. Companies with a C, D, or F rating are 5.4 times more likely to be breached than companies with an A or B rating.

Get your Instant SecurityScorecard to discover how hackers, partners and customers see your organization.

About SecurityScorecard
Headquartered in the heart of New York City, SecurityScorecard's vision is to create a new language for measuring and communicating security risk. The company was founded in late 2013 by Dr. Aleksandr Yampolskiy and Sam Kassoumeh, two former cybersecurity practitioners who had served, respectively, as Chief Information Security Officer and Head of Security and Compliance. With cloud solutions becoming an increasingly integral part of the security technology stack Yampolskiy and Kassoumeh recognized the need to address third- and fourth-party risk as well as better understand the security capabilities of their business partners. Since its founding, the company has grown dramatically and now counts hundreds of leading brands as customers. SecurityScorecard is backed by leading venture capital investors including Sequoia Capital, GV, NGP Capital, Evolution Equity Partners, Boldstart Ventures, AXA Venture Partners among others. For more information, visit

Join us in making the world a safer place.