Plenty of companies are meeting compliance measures for all the wrong reasons, and often do it ineffectively.

Verizon’s 2018 Payment Security Report casts doubt on how effectively businesses are implementing the Payment Card Industry Data Security Standard (PCI DSS). The report found that while compliance practices are widespread – 65 percent of businesses followed an extra compliance measure in addition to PCI DSS – there’s a growing failure to create an effective control environment.

1. Mind the Gap

Verizon Payment Security Study

The percentage of fully compliant businesses had been increasing every year of the Verizon study from 2012-2016, but full compliance dropped from 55.4 percent to 52.5 percent in 2017. Verizon’s experts, however, aren’t so much concerned by the drop in compliance.

Verizon concluded that nearly 48 percent of its respondents had not maintained all of the DSS controls.

The study noted a rising “control gap” that is almost as high as when the study first began. The control gap represents the number of failed PCI compliance measures divided by the total number of PCI compliance measures.

Verizon Payment Security Study

We wrote last year that Verizon sees the control gap as an area of concern, but the number jumped from 13 percent to 16.4 percent year over year.

Businesses and their solution providers must consider that control-design environments will vary significantly from businesses to business. But according to Verizon, plenty of businesses imprudently place controls without a serious consideration of the environment.

“Implementing PCI DSS controls ‘out of the box’ and expecting them to perform flawlessly usually isn’t effective and, very likely, isn’t sustainable unless the security controls include tailor-made documentation and specifications for operating within the specific environment,” Verizon’s executive summary reads

2. A Problem of Motivation

It’s obvious to most of us that compliance rules aren’t a silver bullet to prevent data breaches; however, they help move a company in the right direction. One of the biggest problems is that many businesses are merely checking a box when they do compliance. Verizon writes that compliance was never meant to be a checkbox, comparing it instead to an exam.

“All a compliance assessment proves is that on the day, you’d done enough. The assessor wasn’t able to find sufficient evidence that you hadn’t met the grade,” Verizon said. “But actually, compliance is more like a job interview than an exam. You might say all the right things on the day and get the job, but if your skills and experience aren’t what you say they are, the chances are that you’ll get found out pretty quickly.”

There are two horrible ways to approach compliance. The first, as we have mentioned, is to treat it as silver bullet, and the second is treat it as a way to get the government off your back.

“The threat of massive penalties clearly focuses attention on compliance, but should not be the primary motivation for a compliance program,” the study noted. “This can lead to a ‘teaching to the test’ approach, rather than striving to achieve true data protection.”

3. Due Diligence

There’s a whole lot of box-checking going on. Numerous statistics in the Verizon study illustrate businesses doing … the bare minimum. Only 18 percent of organizations exceeded the DSS requirement for how many times they should measure their controls.

Compliance reporting is a big area of bare minimums. Forty percent of businesses measured their PCI compliance annually, and only 19 percent reported their compliance monthly.

And in other cases, organizations depend too much on external compliance assessors who periodically inspect their system.

“Not reviewing controls throughout the year can lead to failure to react to changes in the control environment quickly enough to maintain security. Organizations need to develop a program of ongoing internal reviews that evaluates control effectiveness.”

The entire study is available online. You can read about Verizon’s 2017 report on our site.

Kaseya‘s recent IT operations study has interesting numbers on PCI compliance.