88.9% of organizations aren’t doing enough to protect the credit and debit card data they handle, according to a new report from Verizon Enterprise Solutions. The “Verizon 2014 PCI Compliance Report” says that only 11.1% of organizations are fully compliant with the 12 requirements of the Payment Security Industry Data Security Standards, a set of rules created by payment card networks to protect cardholder data, commonly referred to as PCI.  Still, that’s up from 7.5% in 2012, the report says.

Verizon security experts assessed more than 500 companies across multiple industries, including retail. They gathered data between 2011 and 2013 for the report.

Although the remaining 88.9% of companies assessed are somewhere beneath “compliant,” the number of companies improving year to year is on the rise. ”Verizon classified just over 70% of organizations in the report as “nearly there,” or between 81% and 99% compliant, in 2013, up from 25% in 2012.  Verizon attributes this growth to increased awareness of data security standards from security vendors, card brands and the PCI governing body, and a heightened concern for card data security prompted by well-publicized data breaches. Clearer interpretations of the PCI standards have also helped.

Verizon stresses that it takes only one weak point in payment card security for criminals to access payment card data. When compared to the Verizon 2013 Data Breach Investigations Report, Verizon found that companies with a data breach are less likely to be effective at two things: limiting access to cardholder data on a “need-to-know” basis and generating and maintaining accurate logs of consumer activity on all devices. Though these aren’t the only two factors that increase the risk of a data breach, they were key contributors to data breaches and losses of cardholder data in 2013, the report says.