Although the payment card industry combined its data protection programs into a single data security standard (PCI DSS) back in 2004, most organizations still haven’t achieved full compliance with it, according to Verizon’s 2019 Payment Security Report.

The data security standard contains a dozen broad requirements that organizations develop a secure network and systems, implement control measures, monitor, and so on. Just 36.7 percent of organizations are fully compliant with the standard and keep the necessary security controls in place, a figure down from a high of 55.4 percent in 2016, according to Verizon. Indeed, Verizon concludes, too many organizations are relying on a check-the-box routine without improving their ability to maintain compliance.

Perhaps even more alarming, 18 percent of organizations surveyed had no defined compliance program, Verizon reports. Just 20 percent of respondents described their organizations’ data protection compliance program maturity as “advanced.” None said their program maturity was optimized.

Verizon has been publishing its Payment Security Report since 2010. The early years focused on emergence and growth of compliance programs, while more recent ones have emphasized proficiency and sustainability. Back when the PCI DSS was published, industry anticipated effective compliance would take about five years to achieve, Verizon explained in its executive summary. Fifteen years out, less than half the organizations maintain programs that prevent “security controls from falling out of place within a few months after formal compliance validation,” Verizon reported.

A standard few can comply with?

More organizations in the Asia-Pacific region (69.6 percent) were able to maintain full compliance with the PCI DSS than those in the Americas (20.4 percent) or in Europe, the Middle East, and Africa (collectively, less than 50 percent). “If you are in the Americas,” Verizon wrote in its report, “the likelihood that you need support to get your security and compliance programs on track is more than 75%.”

Interestingly, no organization that suffered a data breach was actually compliant with all of the requirements of the PCI DSS, Verizon noted. It reported 18.4 percent of breaches were due to a failure of security controls.

The 2019 report includes an analysis of data from 302 entities, as well as information from 55 survey respondents at organizations that comply with the standard. Data for the data breach correlation came from Verizon Threat Research Advisory Center investigations of organizations after a breach of payment card data, Verizon explained. None of Verizon’s PCI DSS customers experienced a data breach.

Excessive reliance on paper programs

Too great a focus on meeting baseline compliance requirements is a part of the problem, Verizon explained. After all, data security is not so much a single activity as a never-ending process that tends to need improvement. Launching a data protection program is one thing; keeping it up to date and making sure it is maintaining its effectiveness is another.

Too often, chief information security officers “focus on keeping only baseline control activities in place instead of growing data protection competency and maturity,” Verizon wrote. Ultimately, “too many organizations are stuck in a reactive ‘wash, rinse, repeat’ pattern.”

Verizon likened the challenges with securing card payment processes to yacht racing. Instead of just setting one’s sails and the rudder, anyone who actually wants to win a race will continually adjust the boat’s settings as the wind varies. So it is with data protection compliance.

“Just as a yacht crew needs to develop capabilities to adapt to the prevailing conditions while staying focused on the destination, organizations need to be able to react effectively to changes in the control environment,” Verizon wrote.

From matters as basic as knowing where an organization’s data is, how it flows, and where it is to confidence that appropriate controls are in place and in fact are effective to knowing how quickly event detection occurs and can be responded to, Verizon identifies a number of questions organizations should ask as they enhance the long-term effectiveness of their compliance programs. Verizon has developed a compliance program performance evaluation framework to help organizations improve the capability of their own programs.

Lori Tripoli is a writer based in the greater New York City area who focuses on legal and regulatory issues.