The most striking result? While many aspects of data security are improving for companies that deal with major card brands like American Express, MasterCard, and Visa, one key element has backslid over the past year: Regular system testing.

This is what’s known as “requirement 11” in the world of PCI DSS—as in Payment Card Industry Data Security Standard—a continually updated set of guidelines devised by an industrywide council founded in 2006. According to the report, regular system testing is the only category to experience a drop.

In order for companies to achieve compliance—or meet the minimum mandate for security—they are required to run quarterly vulnerability scans and at least one annual penetration test. “Pentesting,” as the latter is known, is the practice of inviting whitehat hackers to breach your network, reveal the chinks in its armor, and draw up a report. “Vulnscans,” on the other hand, rely on automated tools to expose known weaknesses—for instance, all the server side vulnerabilities discovered last year, including the infamous “Heartbleed,” “Shellshock,” and “POODLE” bugs—rather than the wiles of crafty humans.

Despite both pentesting and vulnscans being essential components of enterprise IT security, only a third of companies undertook adequate system testing, according to the report.

“You would expect a lot of executives asking their teams and suppliers to test their systems,” says Rodolphe Simonetti, managing director of payment card industry services at Verizon. “In reality only 33% of them did that. That’s a definite surprise when you consider the number of breaches we’ve seen last year.”

Companies improved on 11-out-of-12 compliance indicators—averaging an 18 percentage point increase in areas such as data access restrictions, authentication schemes, encryption of sensitive information, and strong passwords—but regular testing dropped seven percentage points from last year, the sole compliance indicator to worsen.

Why the drop at a time when the threats seem to be coming in faster than ever? The report ranks a lack of accountability and poor record keeping as partial explanations. That means businesses are simply losing track of their work—what Art Gilliland, head of HP’s enterprise security products, has described to Fortune as a “people and processes” problem.

In other words, it doesn’t matter if you have a topnotch scanner if you’re unable to manage its findings effectively. (Hackers-for-hire also pose an issue since it can be difficult to know who offers a quality service.)

In general, more companies are becoming compliant, stepping onto the bottom-rung of a ladder leading up toward that lofty concept of security. But in terms of proactively prodding their networks and findings cracks, companies have taken a step backward.

“The lesson is clear,” the report exhorts, “as an industry, breached and non-breached organizations alike, we all need to do better at testing our defenses.”