Some 15 years after the payment card industry settled on a single data security standard with PCI DSS, there are indications that too many organizations practices haven’t risen to the level of maturity that would have been anticipated at this point.
In Verizon’s annual survey of payment card industry security practices, only 37% of the 302 surveyed enterprises sustain full compliance with the 12 specifications outlined in PCI DSS consistently over time.
Effectively most organizations are focusing on meeting the basic requirements rather than developing consistent and effective security practices.
Just 18% check to see if they are meeting PCI DSS specifications more often than what the standard mandates.
Lack of compliance programs is a concern
The Verizon survey highlights significant regression in terms of practices. Just three years ago, 55% of the surveyed organizations reported that they were maintaining security controls in compliance with PCI DSS specifications at all times.
An alarming 18 percent of enterprises admitted they have no formal compliance program in place at all. And only one-fifth described their data protection compliance programs as advanced.
While it is true compliance does not equate entirely to effective security, regulations and security mandates can provide an important blueprint to help organizations establish controls and develop best practices.
It is worth noting that the Verizon research reported that no organization that was hit with a breach was 100 percent compliant with all 12 PCI DSS specifications.
What is clear from the study is that too many enterprises are not advancing their practices and methodologies over time, leaving valuable assets exposed.
Meeting compliance standards at a point in time only to let controls slide later is a very risky practice.
Enterprises need to treat compliance as a foundation step to a broader set of security methodologies and practices that need to evolve with the business.