The PCI standard could become stricter in the next few years. Currently, companies are encouraged, but aren't required, to use payment applications that meet a set of PCI payment application best-practices standards, but that will become compulsory over the next two years, Perez said.

The number of companies complying with PCI requirements finally appears to be picking up after a slow start, several analysts said. Visa says that about 22 percent of Tier 1 merchants, which the company defines as those processing more than 6 million card transactions per month, are already PCI-compliant, with another 72 percent on track to becoming fully compliant.

The numbers reveal that progress is being made, albeit slowly, said Avivah Litan, a Gartner Inc. analyst. One of the biggest technology challenges is PCI's requirement for encryption, Litan said. Some companies are uncertain whether they're required to encrypt data or can implement other compensating controls, she said.

Another factor in the slow pace of adoption is the perception that PCI, unlike government mandates, is a private standard lacking enforcement teeth, said Nigel Tranter, a PCI auditor at Payment Software Co., an auditing firm in San Jose.