Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Automation for PCI-DSS Compliance Management for Franchise Corporations
Quick Take
On this episode of Compliance Unfiltered, the CU guys give the listeners an inside view of PCI compliance for Franchises, and how best to tackle it. You’d be shocked how many large organizations are still dependent upon disjointed manual processes. Adam shares how automation at that large of a scale is such a game changer and why not just relying on your assessor’s tool set can mitigate a TON of headaches.
All this and more on this week’s Compliance Unfiltered!
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the Bob to your compliance big boy, Mr. Adam Goslin. How the heck are you, sir? Haha, I’m doing good, Todd. How about yourself? Man, I can’t complain. Today, we’re going to have ourselves a conversation about making PCI DSS easier for retail and restaurant corporations. Now, at a high level, why is managing compliance in a retail or restaurant setting so challenging, Adam?
Well, for a lot of the restaurant retail organizations, you’ve got to remember, they’ve been managing PCI for decades, in some cases. Back in the day, the compliance management was being done manually, and typically, they had to start with tracking it through spreadsheets. Everybody knows how much I love a spreadsheet for compliance management. So, you know, through the years, the same spreadsheets are passed along. It’s kind of like, I don’t know, it’s almost like a you-got-the-compliance-not-birthright or something that just gets inherited and inherited and inherited along the way. And it’s no wonder that everybody in these organizations who gets the joy of being involved in compliance is just dreading it. In all likelihood, it’s a spreadsheet, maybe it’s some hodgepodge of internal systems for collecting and storing and tracking evidence. There’s challenges for getting people to actually follow the process and follow guidance, etc. And at some point in the game, enough is enough. You start looking for some type of a tool, a compliance management tool, that’s gonna ease the pain with the notion that there’s gotta be a better mousetrap out there. There’s a lot of options available to any organization, but not every solution’s a good one. In fact, a lot of the options are going to, increase time, increase labor, increase money that you’re wasting on compliance management. So, you know, you wanna make a choice that’s gonna yield more efficiency, be more effective and even more profitable.
Completely understand that. Now, what are some of the internal solution challenges these companies face? Well, when they decide to go with the internal system, whether it’s the spreadsheet, whether it’s the hodgepodge, you know, etc, there’s this notion that organizations go into it with, hey, we’re gonna end up saving a whole bunch of money by not paying somebody for a tool, so we’re saving money, you know? And honestly, I have seen every frickin’ kind of homegrown compliance tool you can imagine. I’ve seen spreadsheets with unbelievably complicated macros. You know, I’ve seen cobbled together ticketing systems. I’ve seen, you know, where it’s like a combination of ticketing systems and drop zones all over the damn place for putting files. I’ve seen, you know, internally developed software applications, where they literally from the beginning said, screw it and, you know, I’ll write my own, you know, type of a thing with the notion that, hey, we have people that can code, so let’s just go have them make this, type of a thing. I’ve seen folks that have leveraged, like access databases that they, you know, kind of hodgepodge together with some code. I mean, in every single case, literally everyone of these systems are more costly than needed, and more trouble than they’re worth. You know, the reality is that, building your own system takes more time than you think. It always requires ongoing maintenance updates. You know, you’re dealing with bug issues and blah, blah, blah. So you’ve got a bunch of different problems, right? You’ve got compliance people that are requesting new features and functions, you’ve got new bugs that are discovered that need to get fixed, you’ve got the system that needs to be either set up, or reset every time you’re going year over year on your compliance cycles. You’ve got the vulnerabilities that can be popping up in your own homegrown system, you’ve got compliance standards that change that require then gutting, revamping, redoing of whatever method or approach or methodology you were leveraging. If you think about PCI, at this very stage of the game, we are scant days away from PCI 3.2.1, no longer being a thing, and everybody must do PCI 4.0. Well, yeah, by the time this goes out, Adam, that will already be a thing. Yep, yep, exactly. But, you know, we interact with a great number of assessment firms, and I can tell you, boy, they are just, their world is very, very busy, as we’ve been, you know heading headlong toward the PCI 3.2.1 sunset. You know, the entire structure of the compliance framework changes, the language of the requirements change, requirement guidance changes, you know, it’s utterance. So when you’re using that homegrown system or hodgepodge system, you know, you literally need to just go and turn around and hit the reset button and start over, you know. And, then by the time that you’ve gone in, hit the reset button, done all of this work, etc, another two or three iterative modifications have already been made to the standard. You know, in the case of PCI 4.0, there have been incremental updates, minor revisions, additional clarity, all of which are causing, you know, all the organizations to go and waste more time, you know, reviewing the updates and then integrating them in, you know, blah, blah, blah. Even for minor system tweaks, bug fixes, you know, you’ve got to have somebody that’s standing by that can manage and maintain that internal compliance system, and those resources aren’t cheap is the funniest part about it. You know, you’re talking about, in many cases, people that are in IT that, you know, carry heavy, heavy price tags, etc. And there’s got to be a higher priorities in the queue. Do you want to know what would be a brilliant idea today, let’s go and revamp our effin internal compliance system. You know what I mean? And it’s like meanwhile your compliance team is bitching because you know, they’re dealing with whatever they’re dealing with, while they’re waiting for this stuff to be done and oh, it’s just it’s just an absolute crap show. These troubles are why many of the retail restaurant style organizations, we’ll look to some type of a of a third-party solution and oftentimes, it’s a GRC.
What about the option to use GRC system to bolt-on for compliance management? Well, in a GRC system, you know, these are gigantic volume of systems, right? They, you know, have the capability to consolidate, you HR, and your contracting, and vendor management, accounting and a whole ton more, right? Every single one of these GRC systems has another bolt-on that you can go and pay for to, you know, make your world even more integrated to the GRC. You know, there’s a lot of those GRC solutions that have some bolt-on module for PCI, you know, type of thing. But, you know, the downside is that, security and compliance is just one of maybe a hundred or more components they may have in their suite of bolt-ons, it kind of obvious, but just because I’m a GRC system or a GRC solution provider, it doesn’t mean that I specialize in compliance management. It means that I went and I tasked my developers to go write something that’s going to, you know, check this box, you know, and so on. It incorporates, you know, your compliance information into the, you know, into the gigantic machine, but a lot of the compliance managers find that their GRC bolt-ons for PCI are clunky. They don’t streamline or simplify anything, you know, of any particular substance. The flip side for the GRC style solutions is, they are astoundingly expensive, you know, not only is the system costly, you know, corporations end up paying a lot for the additional professional services that they need for initial configuration, for ongoing, care, feeding management, hand-holding. You know, roll out this monstrosity, etc. And if you have anything like special projects, special functionality, you know, that you need to integrate then you’re doing something akin to, you know, working behind the scenes of the Wizard of Oz where you have some skilled, you know, individual has to know which of the levers to pull in what order and, blow from behind the sheet. the rollout of these systems, the GRC style solutions, it’s something that takes at least months. And I’ve heard from many organizations, ultimately years, you know, to go ahead and roll these things out, you know, to hire somebody special. Yep, yep, yep, you need somebody with expertise, often somebody with expertise in managing your GRC system choice, you know, etc, on top of the need for the professional services, etc. You know, and what it does is the poor compliance people that are just, I mean, literally one of the lowest elements in the freaking totem pole of things that are needed was we’re rolling out the GRC solution, it just leaves the compliance people, you know, wondering what are they going to do? They’re going to keep using their freaking spreadsheets and homegrown systems and, kind of, you know, hoping or praying that that something, you know, better comes along once this is done. The reality is, is that oftentimes they’re left, they’re left wanting for more. Once they finally get to, to the promised land of the compliance bolt on GRC solution.
Well, what are some of the advantages of using a compliance management system like the TCT portal? Well, you know, the one thing that the listeners need to understand is that the TCT Portal, it’s an automated platform that’s designed by security and compliance experts that understand the pains of PCI compliance management. The system introduces efficiencies, and effectiveness, and cost savings for, you know, franchise organizations that they haven’t been able to achieve. It really pays dividends to, leverage a purpose built system for compliance management, rather than somebody else’s afterthought. It’s, it’s a huge difference, you know, and here’s some of the biggest elements, right? When you’re using TCT Portal, you know, as an example, when you decide to go sign up, I mean, we can literally take an organization from signature, to kick off call, to start up, all that fun stuff. I could, depending on what they need, I could literally have them running on the platform the same day. I could, you know, oftentimes, we got to go in and do some tweaking and setup and testing and training. But I’ve had organizations literally sign on the dotted line and be working in, you know, in the morning and working in the afternoon. It’s quick, you know, we’re not some behemoth platform that’s focused on 18 million other things, where it takes a while to get through to us and get things done, it’s a fast process and we can move quickly to help people get through it. When it comes to just PCI compliance and the efficiency you get there, when you’re using the TCT Portal, we have integrated the guidance and examples of things that should be being submitted. There’s also the clear benefit of having reference within the portal to what they did last year.
So, a franchise location, in a franchise location scenario, they often have astronomically high turnover from their prior year. So if you’ve got these new people coming in, it’s like Groundhog Day every year. I don’t even know what was submitted last year, so now you need to go in and do retraining, etc, to get this person up to speed. Within TCT Portal, you’re able to literally reference the evidence that was leveraged for your location for the prior year, it’s right at your fingertips, sitting right there. It’s funny, but oftentimes for organizations, especially when they’re doing PCI in a franchise setup, oftentimes it’s like, I feel like I’m pulling a cartoon reference here, but it’s compliance season, wabbit season. But they get into this mode where it’s like, okay, we’re gonna go heads down, we’re gonna go do the compliance stuff type of thing. And it only pops up, what, 10 months later, after I wrap it up, then 10 months later, they pop out of the woodwork, asking for the updated evidence, right? These people, this is 10 months ago, they don’t remember what they were doing, hell they gave it to you last year, even if it’s the same damn person, right? And so, you know, because we’ve got all of that activity saved, they can similarly go in, see what they did last year, you know, and all of this means less rework, less hours blown on training, quicker task completion, more efficient evidence, reviews, because you’re not getting garbage going through the system. You know, we talk about cost savings. You know, one of the biggest efficiency gains on a compliance engagement is the is the total time that you save across the breadth of all of your locations. It adds up quickly. You know, before you know it, your retail restaurant location corporation has saved, you know, hundreds to thousands of man hours in a year. And that really translates to tens of thousands of dollars a year, if you’re using the TCT Portal. Retail restaurant corporations using those GRC solutions we talked about earlier, you know, they’re spending more, they’re spending more, you know, on just service fees for their GRC than they would on the entire cost of the roll out TCT Portal, you know, franchise organizations recover, you know, so much wasted money that, you know, we set up the pricing so that, basically it’d be foolish not to, you know, not to go ahead and leverage it.
You know, the folks out there, we do have on the website, some ROI calculators, you know, out there. If you go to www.gettct.com, go to resources, then you’ll see ROI calculators in there. And you can go in and kind of punch numbers in yourself and kind of get an idea of how much you’d be able to save. And in the grand scheme of things, we also achieve greater compliance effectiveness. You know, the compliance management system, you know, a lot of organizations will look at this tool as something that’s only helping the compliance manager. Well, why the hell would I go buy this tool? And, you know, and it’s only helping this one person or these handful of people. You know, a good compliance management tool is gonna make everybody’s life better. It’s not just the compliance people, but it’s anybody that has tasks related to compliance is gonna benefit from a quality compliance management solution. The task expectations are clear, assignment allocations, and comprehension is straightforward. The line item activities are being completed faster across the board. You know, rework and duplicate efforts disappear overtime that would typically be associated with compliance, especially for the compliance people, that becomes rare. The retail and restaurant organizations that use TCT portal, they have more engaged compliance personnel that are, you know, participating more actively and paying more attention to the quality of their work.
There’s so much less noise on the engagement that they’re actually able to do a far better job. And because those compliance activities for PCI are so much less painful, you know, they’re able to give more of themselves to the critical work of compliance management. And it’s critical because at the end of the day. The success of the protection against cyber attacks, you know against things going bumping a night, against bad actors, you know really depends on everybody’s human effort and vigilance within the continuum .
Any bonus benefits to be had? well the one huge bonus is, and this will make the compliance people and anybody that’s been involved with submitting evidence you know smile a little bit is, once you get into leveraging something like the TCT Portal, a really good compliance management tool, once you’ve gotten through your first year and even when you’re going through your second year. Especially when you get into your third year You’re gonna start noticing some fun changes in terms of your personnel You know, they begin to display a different attitude toward organizational PCI compliance activities. I mean, I got a couple of people smiling, but you know, it’s these people at the retail restaurant organizations, everybody just kind of groans. Oh god, it’s compliance season again, you know type of thing. Don’t get me wrong, nobody is gonna start whipping confetti, turn on the disco balls and all just because it’s compliance time, you know, but in the same sense, they’re not going to be dreading it. The reality is when you’re using a tool like this. It’s just so much better, it’s so much easier, the morale of the personnel will go, responsiveness to their assigned tasks will go up, because they’re a lot of people that will put off what they don’t like, you know, or what they perceive to be painful and you know, if it becomes less painful guess what, the people that you’re asking for this, these inputs on, you know, they’ll do it faster, because it’s easier. Stress levels go down, you know, certainly, these are things that you’re going to see across the board, you know, but most certainly, you know, the lives of your poor compliance people, you know, are going to get noticeably better. You can expect to see that noticeable difference in company culture during compliance season. And, you know, it’ll be a stark contrast to kind of the dark memories of the past. You know, that that type of a culture change, you know, really has a measurable influence on supporting minimization of employee turnover rates, as it relates to their stress and things along those lines. It’s not like the compliance management tool is going to solve all problems, but in the same sense, we definitely don’t want to be making things worse. We want to make improvements.
Parting shots and thoughts for the folks this week, Adam? Well, long story really, really short, move your organization into an arena where people can stop dreading PCI compliance season. If you’re wanting to improve efficiency, improve effectiveness, improve cost savings of your engagements, stop blowing and wasting and burning time left, right, and sideways with a ton of frustration and stress, then you’ve got a number of options that you certainly can consider. Most of those elements for consideration are going to fall into one of these critical areas. The reality is that TCT Portal, is a good solid compliance management tool, is going to deliver across the board. You know, you don’t want to be dreading PCI. It’s miserable. Part of the reason why I founded this organization, why I wanted to help people make compliance management suck less is that I’ve lived the hell that listeners are kind of nodding about as they’re listening to this pod. I’ve lived it personally. I then turned around and I watched it firsthand across dozens and dozens of organizations struggling through compliance management where I was trying to help them navigate the water. So, you know, all of that pain, you know, really was the real world input that was the foundation of what is now the TCT Portal. The really, really cool part about the TCT Portal is that we are an organization that pays very close attention to our clients, their needs, what do they want, what features and functionality, are they seeking. And at this point in the game, as we’re recording this pod, we are coming up on nine years of the portal. We’re in the middle of our eighth to ninth year right now. What does that mean for the listener? That means you’re working with a platform that has more than eight years of compliance people leveraging this compliance tool, and providing their own inputs and their own suggestions and recommendations for feature enhancements, etc. It is really, really rewarding to see the level of interaction that we have with our clients, and the ways that we’re able to help them navigate the world of compliance and make it suck less.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
