PCI DSS audit procedures are rubbish, too
I'm wondering if these statistics are actually worth anything ...
I've seen questionnaire-based PCI DSS audits where the auditors themselves didn't understand their own questionnaire, or demanded answers to question which were not applicable to the situation (such as whether media containing payment data are handled by specially instructed staff during transport, when payment data isn't ever transported by physical media).
There was even one case where a truthful answer would have meant failing the audit, while the "correct" answer was obviously nonsensical: The audit form required my client to state that the systems processing credit card data are not connected to any other devices or networks, when in fact they were using a web-based transaction processing service (and the provider of this very service initiated the audit)! In the end, *the auditor knowingly told us to provide false information* in order to pass the audit.
So I guess even among the 21 % who pass are a number of companies who simply lie during the audits - sometimes at the auditor's request, as in the case I witnessed, but probably otherwise as well. This isn't very surprising either as they are often under the threat of having their payments - i.e. their revenue stream - cut off at short notice.
On the other hand, I guess among the other 79 % are quite a lot of companies that do have adequate security, yet made the mistake of answering the questionnaires honestly and were tripped up by some idiotic question.
BTW, there's a wonderful tale of an auditor demanding usernames and passwords for all employees of a company over at serfault: http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants