When it comes to payment card security and PCI DSS compliance there’s always room for improvement.

That’s especially the case in 2018. For the first time in six years, compliance with PCI DSS across organizations was down last year; at least that’s according to Verizon’s latest payment security report, an annual report released this week that digs into how companies are handling PCI DSS compliance and the industry as a whole.

Despite an uptick over the first half of this decade – organizations that demonstrated full compliance at an interim assessment went up five fold from 2011 to 2016 – in 2017 it went down, ever so slightly, from 55.4 percent to 52.5 percent.

Last year there were fewer, not to mention ineffective, controls in place, according to Verizon, something that translated to more companies failing their interim assessment. The company said in its 2017 Payment Security Report that it was expecting an eventual decline in full compliance, mostly because increases have slowed over the last few years.

“Nearly half (47.5%) of the organizations Verizon assessed during interim PCI DSS compliance validation did not maintain all DSS controls,” reads one part of the report, adding that at 77.8 percent, organizations in the Asia Pacific region were the closest to achieving 100 percent compliance. Organizations in the Americas were the lowest at 39.7 percent compliance.

While compliance is down, Verizon’s report shouldn’t suggest there hasn't been progress across the industry: 80 percent of businesses failed their interim PCI compliance assessment in 2015 so this year’s numbers are certainly an improvement. 2017’s number is only a 2.9 percentage point dip, a number that can mostly be blamed by a widened control gap and in turn, an ineffective control environment.

“While the trend for the share of organizations sustaining compliance is upward, the organizations failing to do so are on average failing more controls at interim assessment – i.e., getting worse.”

It should probably come as little surprise that no organization affected by a payment card data breach was in full compliance with PCI DSS, at least during Verizon’s investigation.

According to the company only half of the organizations it surveyed manage their PCI DSS compliance as part of a broader data protection program initiative. The other half views PCI controls as equal, almost as as a standalone project. Verizon suggests that in this scenario, once compliance is satisfied, it becomes business as usual, and “there is a drop in control sustainability.”

“The dilution of compliance objectives among other business pressures is a contributing factor, but perhaps just as significant, a lack of adequate monitoring of control performance means that compliance failures creep in unknowingly,” the report reads, adding that the lack of an established monitoring program to support continuous improvement is likely the root cause of lapses in compliance.

The report reminds users that PCI DSS alone can’t address an organization’s capability for assessing data protection governance, oversight, and competence. It stresses that organizations should ask a series of questions, including:

• How well is your control environment defined and documented to support you in understanding its impact on control performance, and to help you manage and improve it? 

• Is your control environment supporting or detracting from achieving sustainability and continuous improvement of your PCI compliance program? 

• How confident are you in understanding the relevance between your control environment and the performance of your data protection program? 

• Do you have an enterprise-wise internal control
program based on an independent structure with a clear responsibility matrix, such as the Responsible, Accountable, Consulted and Informed (RACI) matrix?

The report, the seventh incarnation, synthesizes data from compliance assessments worldwide carried out by Verizon along with data from the company’s annual Data Breach Investigations Report (DBIR), released in April.