Intelligence
Changelog

Verification note: maturity score remains provisional — full verification scheduled Q2 2026

Following internal review, the cross-industry maturity score (58/100) will remain at provisional status until Q2 2026 verification cycle completes. Value is directionally sound; full verification requires independent audit of benchmark collection methodology.

Citation corrected: PCI DSS v4.0.1 — updated canonical URL

Canonical URL updated to reflect PCI SSC document library reorganisation. Citation text unchanged. All published statistics unaffected.

Statistic created: average annual PCI DSS compliance cost (cross-industry)

Annual compliance cost computed from benchmark submissions. Value: $287,000 USD median (provisional). Covers QSA fees, remediation, internal labour, and tooling. Excludes breach response costs.

Methodology clarification: outlier handling policy updated

Clarified outlier handling: values beyond ±3 standard deviations from cohort mean are winsorised (not excluded) for maturity scores. Remediation hours use ±2.5 SD threshold. No impact on published statistics.

Statistic recalculated: average remediation delay — updated from 9.1 to 9.4 days

Remediation delay metric updated following monthly recalculation. Increase of 0.3 days reflects data from late-cycle submissions in hospitality and retail cohorts.

Statistic recalculated: compliance maturity — updated with additional submissions

Benchmark dataset updated with 214 additional submissions received since initial generation. Composite maturity score unchanged at 58/100. Confidence interval narrowed.

Source registered: AICPA Trust Services Criteria (2022)

Framework document registered for SOC 2 cross-framework intelligence features. Verification status: verified.

Source registered: ISO/IEC 27001:2022

Framework document registered for cross-framework intelligence features. Verification status: verified.

Statistic created: evidence automation adoption rate (cross-industry)

Automation adoption computed as proportion of evidence controls where automated collection tools are deployed. Value: 67% (provisional). Methodology counts partial automation at 0.5 weight.

Statistic created: average PCI DSS audit hours (cross-industry)

Median audit hours computed from benchmark submissions. Value: 680 hours (provisional). Covers full ROC-level assessment effort including evidence gathering, QSA time, and remediation cycles.

Statistic created: average PCI DSS compliance maturity (cross-industry)

Composite maturity score computed from benchmark dataset. Value: 58/100 (provisional). Based on N=4,721 submissions. Display mode set to provisional pending full verification cycle.

Dataset generated: cross-industry PCI DSS benchmark (N=4,721)

First full generation of the 2026 benchmark dataset. Sample size reached 4,721 programme submissions. All 7 industry cohorts exceed minimum threshold of 30. Composite maturity scores, audit hours, compliance costs, automation adoption, and remediation delay metrics computed.

Benchmark dataset registered: GRCTrack PCI DSS Benchmark Dataset 2026

Internal benchmark dataset registered with provisional status. Dataset covers 4,721 voluntary programme submissions across 7 industries. k-anonymity protection (k≥5) applied to all published outputs.

Source registered: PCI DSS v4.0.1 (PCI SSC)

Primary source registration for PCI DSS v4.0.1. Manual review completed. Verification status set to verified.

Benchmark Intelligence Methodology v2026.1 published

Initial publication of the GRCTrack Benchmark Intelligence Methodology. Defines scoring approach (composite 0–100), weighting logic (maturity 40%, evidence 25%, automation 20%, remediation 15%), k-anonymity rules (k≥5), and minimum sample threshold (30 per cohort).