"We see compliance going down day by day, month by month, after the assessment," said Rodolphe Simonetti, managing director for Verizon's compliance consulting. "Compliance is supposed to be supporting security, not just a yearly checklist."
The Payment Card Industry Data Security Standard has 12 main requirements. The most likely to go unmet between audits? The requirement to maintain a firewall and making sure that there is a strong network protection later, said Simonetti.
Not every company drops the ball on this one, he added. But the majority do.
"You would expect that companies would test their systems on a regular basis," he said. "But it looks like they're testing their systems on an annual basis. It was really a surprise."
For example, he said, retailers are supposed to regularly review the rules for their firewalls to ensure that they are strong enough. But during some parts of the year, other things come first.
"Like when they get ready for Black Friday, security becomes less of a priority," he said.
Simonetti said he regularly hears people say that compliance doesn't support security, that it's an occasional project. It's not part of the ongoing security operations.
"But what we see from a lot of customers is that a compliance audit often uncovers a lot of important security gaps," he said. "If you use it properly, it will definitely aid in supporting security. But if you think of it as a yearly exercise, then it does not support security."
One sign that this attitude needs to change? Out of hundreds of companies that were breached over the last five years, not a single one has been fully compliant at the time of the breach.
The full 2015 PCI Report will be released at the end of February and will include the results from thousands of PCI assessments conducted by Verizon for mostly Fortune 500 and large multinational firms in more than 30 countries.
This is the first year that the report will look at the DSS 3.0 standard, which specifically addresses the issue of compliance as a continuous process rather than a one-time review.
Looking beyond breach prevention, Simonetti said that companies also need to be more prepared for when a breach does happen.
"A lot of companies focus solely on security and not on resilience," he said. "We still see too many companies not being ready in case of a breach. If something happens, they are not ready to react."
An appropriate and immediate response, however, can significantly reduce the effects of a breach, he said.
But many companies are very slow to respond, he said.
"Sometimes it took weeks before they even noticed they were breached," he said.
Image: Staples store in the US where up to one million customer details were put at risk