Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Counting the Cost of Compliance Before Starting
Quick Take
On this episode of Compliance Unfiltered, Adam and Todd will go deep into the topic of planning your work and effectively working your plan. Specifically, this week, the CU guys focus on how to help organizations anticipate and properly plan for their impending compliance costs.
- Why is it so tough to accurately predict costs in this arena?
- What are some of the obvious and less obvious costs to know about going in?
- How do the time management capabilities of your team play into the mix?
Have no fear, the CU Guys have all these answers for you, and more. All in this episode of Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the Pikachu to your compliant Pokemon battle. Mr. Adam Gosselin, how the heck are you, sir? I feel like I want to grab my phone and go running around looking for, you know, compliance bonus points or something. I love it. I love it. Well, listen, today we’re actually going to talk about some of the perils of a lack of mindfulness. More specifically, we’re going to chat about what happens if you don’t maintain PCI DSS after becoming compliant.
Now, Adam, I got to ask, why is this such a critical discussion point? Well, I actually, I’ve had a lot of personal experience with this.
My early days of trying to, you know, going from getting the organization that I needed to help get compliant, you know, and then transitioning from that to stepping out and, you know, stepping away from working for somebody else and stepping into this world of, you know, running my own business in the security and compliance consulting space. You know, the first several years of that, it was a repeating, it was a repeating, it was a repeating, experience, which was organizations that had gotten compliant, taking their foot off the gas and forgetting about stuff, you know, etc. And, you know, next thing you know, you’re sitting down, you’re in front of the assessor, and they’re like, Okay, so where’s this? And everybody kind of looks right. And some poor soul is at the end of that line.
And you know, it’s, there’s a, it’s complicated. There’s a lot of people, you know, when you when you’re taking that, you know, kind of grueling hike up the mountain, and, you know, you know, for anybody that has done that, and you know, that feeling of both, you know, sense of relief and sense of achievement once you get to the top, you know, but you know, you go you go ask any seasoned hiker and the They’ll tell you that, you know, the real work is the descent, you know, the same thing goes for achieving and maintaining PCI compliance, you know, a lot of them, you know, for achieving it in the first place, you know, kind of feels like reaching the summit of the mountain, you know, and they go, Oh, thank God, that’s done, you know, type of thing. And, you know, they go, they, you know, they have their cert in their hand, you know, everybody’s, you know, clapping each other on the back. And we throw the, as we like to call it, the compliance party, you know, et cetera. And, you know, everybody goes back to their day job, finger quotes, you know, but, you know, what happens, you know, it’s a problem that when organizations take that sense of relief and morph it effectively into, you know, ongoing compliance complacency, you know, there’s definitely some, some, some dangers there.
Well, specifically, what dangers of taking your foot off of the proverbial PCI gas pedal? Well, you know, if organizations are taking compliance or PCI compliance as a, you know, kind of a one off accomplishment, instead of an ongoing commitment, then they’re literally setting their organizations up for some real problems. You know, one of the, you know, crucial tasks, you know, that falls prey to said complacency is, you know, executing and doing your routine quarterly vulnerability scans as an example. You know, those need to be done every 90 days once you get compliant. And, you know, the, you know, doing those scans isn’t, hey, this is a good idea, you know, we think this would be really cool if you did, you know, no, this is a freaking requirement, you know. And so, you know, in all of the, all of the elements, this is the one. thing that especially leaders of the organization, they have this tendency to look at the accomplishment of compliance as I have gone in, I have taken a test, I have checked these boxes and now it’s done. And instead, what they really need to be doing is they need to look at stepping into this compliance world, it is a mindset shift. It is a change in the structural DNA of the organization, if done correctly, where you’re morphing from an organization that maybe wasn’t taking the security and compliance elements tremendously seriously. before, and now you’re in that, you know, kind of in that mode, you know, the phone scans as an example, I mean, all of the controls across any standard BCI specifically is what we’re talking about today. But any, any of these standards, including PCI, every single one of these controls will serve a multitude of, you know, of needs. So the, the sticking on the vulnerability scans, okay, great, we check, we’ve got to go run these, but why the hell are you running them? You know, well, you’re running them so that you have some type of a third party agnostic view of where is the organization in terms of low hanging fruit from a vulnerabilities perspective, both externally and internally. You know, the stuff that gets uncovered on those are, you know, pose risks to the organization, they can expose, you know, holes in your, in your patching methodology and approach, it can expose problems with your change control, it can expose a lack of institutional knowledge of available, you know, security patches or OS upgrades or firmware updates that need to be made, settings, changes around secure configurations, there’s a whole ton of reasons why it’s a great idea to do the to do these things. Honestly, very few of the organizations I work directly with are just doing a once a quarter scan. In many cases, they’re doing it at bare minimum monthly. In some cases, you know, they’ve got it down to weekly. So, you know, so there’s, there’s a lot of good things that can, you know, they can kind of come of it. But it’s too easy for, for companies to, you know, to kind of go back to their real work and forget to do those things that are operational elements that you know, that needs to that need to be done. And the last thing anybody wants to be, be in the position of is when it comes around time for the you know, the assessor to sit down and start at, you know, asking their questions, etc. You know, the last thing you want is for the assessor to be asking for something and everybody does the point right, you know, aka we don’t have it. But the minute that that’s our sort of thing starts to pop up on an assessment. And the assessors are going to start to, you know, start to ask more questions, right? You know, every time they do an assessment, it’s a, it’s really a risk, you know, a risk approach decision on, you know, is this organization compliant? And if they’re seeing signs that they aren’t doing what they’re supposed to be doing, they’re going to want to do a couple more I’s and, you know, cross a couple more D’s, if you will. So you’re actually shooting yourself in the foot, the grant, in the grand scheme of things for the audit, but more way more importantly, you’re shooting yourself in the foot for the kind of protection of your organization.
You know, the, the auditing, the audit process, it’s, it’s meticulous for. for anybody that hasn’t had the opportunity to go through it. You know, you’re collecting up documentation, you’re doing on site inspections, you’re, you know, doing live observations of business functions, you know, the, the assessors are actually very adept at, you know, spotting lapses, inconsistencies, etc. Their whole job is to, is to kind of hold all of these pieces of information that they’ve acquired through the, you know, through the assessment process and the experienced ones are extremely good at connecting dots between evidence that they saw two months ago and what they just put their eyeballs on and, you know, all sorts of things. You know, so if you’re failing to do your, you know, to do your quarterly vulnerability scans, you know, that and performing those functions, I mean, you literally the organization could be screwed. You know, what do I mean by that? Well, the in the context of PCI, you know, this this implies your organization could face some pretty severe repercussions for non compliance. You know, some of the PCI controls are non negotiable for being able to get through search. So, you know, I’ve had organizations where they oops forgot to do a scan and their assessor basically said, Okay, well, you know, you know, you are required to have four passing scans in order for me to go ahead and sign on the dotted line, we’re gonna need to wait until you got four passing scans, which means, no, no, no, depending on which scan you missed, let’s say you missed your quarter two, you’re talking about waiting around for six months to get two more scans that are 90 days apart from one another, etc. So, and when that happens, there’s a whole bunch of downstream ripple impacts, etc. If you’re behind on your compliance, you gotta keep in mind that there are organizations which are going to depend on your organization to have its PCI paperwork done when it’s supposed to be done, because they’re dependent on it for their audits. So, if you’re a service provider and you’re provisioning services to compliant organizations, And they’re dependent on your AOC and your responsibility matrix. Now, all of a sudden, your lapse in compliance is now rippling down to your client base with the inability to produce documentation to their assessors, which they’re rightfully asking for. Man, it can snowball fast. And it’s not a good situation for organizations to be in. You’re talking about clients that are having serious heartburn about, hey, where the hell you at, type of thing.
Well, let’s talk about that heartburn. What are some of the kind of real world ramifications of not maintaining your PCI compliance? Well, I mean, it’s not just a bureaucratic requirement. For any company that’s processing payments, you are mandated to maintain your PCI compliance. So the bank’s asking for your annual certification. I mean, the banks have gotten pretty freaking good with managing and maintaining their programs. So if you think they’re just going to forget about it for whatnot, in most cases, what I’ve seen is I’ve seen organizations, banks coming back starting to ask questions around the annual compliance, maybe a month before the reporting is even do type of thing, because they want to make sure that things are going to go according to plan and whatnot. If I had to go back to that scenario, we’re talking about a minute ago with the, now I need to wait six months to get for passing quarterly vulnerability scans, you could be facing fines coming through your merchant account. Those fines are kind of levied by the card brands to the banks. And then they, of course, pass the costs along through to you type of thing. And it’s tough, you’re facing those issues. There’s a possibility, depending on who your processor is, that they will cut off your ability to process payments. I mean, can you imagine you’re an e-commerce business and you now have been, now you can’t? process payments to be able to run your damn business. I mean, that’s, that could be significant, shall we say. You know, and we talked about it with the assessor, when you start running into these issues, they’re gonna snowball. You know, when you’re doing routine checks or random evidence requests and you can’t cough them up, the red flags start going up. The assessor starts asking more questions. Well, you know, what’s the, how could this possibly happen since you have a control that says you’re gonna run this quarterly? Where did it fail? And now they’re digging into your processes. They’re digging into your human resources. They’re digging into, you know, management, oversight. You know, what are the, what are the other, what are the other controls that are, you know, that are provisioning oversight of this process so that you’re not in this position the next time. At the end of the day, the assessor’s job isn’t to fail people, right? They want people to be successful, but, you know, they also have a job to do and a real legitimate job to do in that, you know, they’re putting their name on the line. So they’re gonna take an approach of attempting to assist the organization with seeing the light and getting in place an approach that’s going to eliminate this possibility of occurring again in the future. So they’re really gonna start tearing into things and every time they’re, you know, every time they’re turning over a rock and turning over another rock and turning over another rock, because it’s things that, you know, things that you should have done that you didn’t, they’re gonna, it’s a real good possibility. They’re gonna uncover even more. If you’re already in the situation where, you know, you got a couple of oops and things along those lines, then you’re gonna, you’re really gonna have a, you’re really gonna have a process ahead of you, if you will. So, you know, you also end up adding workload to your, you know, to your compliance. engagement. So where it otherwise could have flowed through smoothly, had your everything been buttoned up, and you had everything ready to go, and you did all the things you were supposed to do, etc.
You know, now you’ve got a, you know, they’re going to ask for additional evidence and, you know, and want to double and triple check some other things, etc. So it’s almost like a domino effect, you know, this one failure, two failures, now starts blending into their heightened sense of wanting to, you know, make sure that they understand what is the risk, you know, of them signing off on this paperwork. So you’re going to end up stealing a bunch of time into, you know, into the audit as well. And it doesn’t stay just within the within the organization, it’s this is starts to affect your, your relationship with banks, customers, partners, prospects, etc. What happens when the organization comes and says, okay, we’re ready to sign this gigantic agreement, blah, blah, blah. Just throw me over your security and compliance paperwork and you’re like, you can’t do that for five months. What do you do then? So all the way around, you’ve got the interest that there are parties we touch base on where they have dependencies, those could have a direct ripple impact, you could be losing business through from that perspective. Certainly anybody that needs to, from a security perspective, with any business relationship at the base of it is trust. They trust that you’re gonna fulfill your obligations and they trust that you’re on your obligations to protect the information they’re trusting with you.
So the minute you start seeing those red flags with a company, and it could be as simple as their compliance is delayed. Well, what the hell? Why is it delayed? They’ll start asking questions. The trust starts to erode and whatnot. So it really starts to have a good number of kind of ripple impacts into a wide variety of elements of the organization.
Yeah, that tracks. Now, can you explain to the listeners how kick-ass compliance management systems help organization manage their operational compliance? Yeah, well, one of the things that we’ve been talking about in here is these organizations that are, oops, forgot to do this, or I didn’t do that, or whatever it may be. And quite frankly, that experience I had for the first several years out the field was the reason why, as soon as we stood out, the TCT portal, one of… of literally the first major improvement that we made to the portal was to implement what we call operational mode. Operational mode effectively is where all of those periodic requirements of things that need to be done every day, every week, every month, every quarter, twice a year. Those items are in operational mode are literally served up through the compliance management system. to the target organization. So in other words, and this is made even more complicated because right now we’re in the waiting what, six months or so of three, two, one being acceptable and everybody needing to move over to PCI V4 as of kind of April of next year. And so, you got a couple of complicating factors here even for those that are seasoned. But, you know, being able to stay on top of that, it is just, it is such an absolute relief to be able to know we’ve done what we need to do. We’ve attached the right, you know, the right evidence. We are on track with what we’re supposed to be doing. And you don’t, you eliminate the notion of things go, well, I mean, I suppose there’s a possibility that everybody decides to put their fingers in their ears and go la, la, la, la, la and ignore their compliance management system. You can’t stop that. But as long as the organization is actually using the tool for its purpose, you know, then, you know, the operational mode will, you know, will provision reminders. So the way it works is, you know, kind of a couple of weeks before the end of the quarter, the system will wake up and it will start sending out heads up to all the various members of the team. Hey, heads up, you’ve got these eight items which are coming due in the, you know, into, you know, which are coming due in two weeks. You can start taking a look through your items, preparing, you know, and dotting your I’s crossing your T’s, making sure you got what you need, you know, etc, come the due date.
Then the team starts to literally provision evidence. So we’re in PCI, the bucket for the quarterly vulnerability scans is effectively one bucket, right? What the operational mode does is it breaks that one item out in. to four. It splits it into quarterly submissions for the vulnerability scans, and each of those pop up when they’re supposed to throughout the year. And your internal compliance manager can use the TCT portal to basically see where we at. Do we have anything left open? What do we need to do? Who needs to do it? Is it done yet? You know, has this, you know, kind of passed, passed up the workflow, you know, things along those lines. So you’ve got all of those capabilities right at your fingertips. And, you know, especially with the move to four, you know, all of the items that were operational mode items under 321 are still going to be a thing. But there’s also some new items within, you know, within the PCI, you know, v4 arena, maybe actually one, one thing for you and I, we can, we can go through and make another, another topic as well.
that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.