Real world demands and fatigue can get in the way of compliance, the study says. "When faced with the choice of where to place their energies, many people will choose to just get things done rather than worrying about the 'right way' or the 'compliant way,'"the study says. "The organization might take notice of PCI while the QSA is on-site, but afterwards allow a significant portion of the necessary practices to erode over time."

Fully staffed security departments are a rarity, and security in general is still viewed in some organizations as a drag on business rather than an accepted part of dealing with risk. "Too few companies have a manager or director in charge of compliance efforts, and lack an informed sponsor at the senior or executive level within the corporation to provide support and guidance for projects," the study says.

Making things more difficult, PCI is a moving target that gets tougher year by year. In addition to new versions of the standards, clarifications about existing standards mean narrowing interpretations of the rules and redefining what is acceptable. So what met requirements one year might not the next. "This will become increasingly true as the PCI DSS 2.0 requirements are used for all assessments starting in January 2012," according to the report.

Some suggestions for success:

= Chose a champion with clout.