How secure is cyber security? Not very.

There is a fundamental misunderstanding regarding data security compliance, often referred to as ‘PCI Compliance’. Many believe that it guarantees security and that it protects consumers.

It does not. Compliance is important, however, the misalignment of expectations leads to unfortunate outcomes creating a veneer of security.

Compliance is, by definition, the least that a company can do and still have the authority to operate. Remember when you were a kid and you wanted to ride a roller coaster? There was a height measurement requirement, a colorful clown with an outstretched hand and a line of really short crying kids directly adjacent.

The goal of the clown was to help the park measure height as a proxy for safety. The clown did not actually inspect the ride or in any way affect the quality of the maintenance and operations of the roller coaster. The clown ensured only that you were tall enough "to ride this ride”. This is a similar scenario as compliance.

Each year, more than 10 billion credit card transactions are processed globally. In the United States, we use a compliance regime called the Payment Card Industry (PCI) Data Security Standard (DSS) that governs the rules around if and how vendors can process credit card transactions. The goal is to protect the confidentiality, integrity and availability of data and systems and assure that consumers and corporations are protected from theft and fraud.

The PCI DSS compliance standard gives a roadmap to merchants and guides them on how to remove low-hanging fruit. The standard does this by bringing together the payments enterprise for a common goal of payment transaction security. Regardless of your preview on its efficacy, the standard has teeth: ensure your compliance or pay the fine. But that simply is not enough.

As far back as 2008, experts in the community have argued that PCI DSS is ineffective at stopping data breaches. Many maintain that the standard needs to adapt faster to the state of the art tactics, techniques, and procedures of sophisticated threat actors. Others maintain that there needs to be increased accountability and separation of duties between key parties in the process of the PCI DSS review. But the criticism does not stop there.

The standard itself is clear as mud. Moreover, there is no independent certification or seal of approval, unlike in other standards. Instead, those seeking PCI DSS compliance engage in a self-assessment. If they fail, they can either choose to not operate or to operate and pay a fine (if they get caught), which often is far less than the profit they would generate by operating out of compliance.

Those seeking compliance must use a Qualified Security Assessor (QSA) that reviews the policies, processes, and procedures of the applicant in the self-assessment. The QSA makes a determination based on their interpretation of the standard.

The entire process is subjective – so much so in fact that the Federal Trade Commission has taken action to better understand the efficacy of the QSA industry. This is in part because the acumen of a QSA can range from Tyrion Lannister to Hodor. But even if we were to assume that PCI DSS was a perfect standard, it would not matter.

PCI DSS cannot protect consumers and merchants from motivated and capable deliberate threats or from unintentionally senseless employees of merchants. The standard cannot not stop hackers from launching custom malware attacks or installing credit card skimmers that hijack sensitive data. It cannot stop a systems administrator from storing credit card data on a laptop…and losing the laptop.

While PCI DSS is imperfect for those and other reasons, it is the first thing that merchants should do to increase their security posture. It just is far from the last. Like most things, it all falls down on people. The most important thing any organization can do to secure the enterprise is to invest in its employees.

Processes are developed and enforced by people – technology is developed and deployed by people. All things in cyber security – including standards like PCI DSS – are only as good as the people at the helm. Everything else is just lipstick on a pig.