Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Making PCI-DSS Easier for Retail and Restaurant Corporations
Quick Take
On this episode of Compliance Unfiltered, the CU guys serve up a steamy helping of podcast for you, as they dive into the topic of making PCI-DSS compliance management easier for Restaurant and Retail organizations. Adam will cover, at a high level, some of the challenges facing these organizations, both internally and externally.
The guys will go over some of the pitfalls of large, bulky GRC tools pitching their add-on compliance modules. He will also cover the advantages of utilizing a system optimized to make your life as a compliance professional easier.
All this and more on this week’s Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the man, the myth, the legend, Mr. Adam Goslin. How the heck are you, sir? I’m doing good, Todd. How about yourself? I can’t complain, I really can’t. Today we’re going to talk about the best tool for PCI DSS compliance management, specifically for folks in the franchise corporation world.
Now, what are some of the high-level reasons managing compliance sucks for a franchise organization, Adam? Well, you know, if your corporation is using a franchise model, then you have a tremendous amount of complexity to deal with as you’re navigating PCI compliance. Honestly, my heart goes out to any of the compliance managers that are trying desperately to keep the engine running while they’re holding it all together without the right tooling and only the sheer will to somehow survive the annual compliance cycle. It is absolutely effing miserable trying to hold this stuff together without the right tools. There’s a lot of complexity in trying to manage PCI engagements, period, but not only do you have all the challenges of managing compliance. for the organization aka corporate, but every single one of the franchise locations is its own silo that you now have to get the joy of going and coordinating with you know as you’re going through the you know through the gauntlet if you will. You know a lot of the challenges in this space are coming down to coordination and orchestration of the overall engagement, making sure that people know what’s needed when do they need it. You know managing or wrangling as the case may be, you know evidence submissions and the and the associated status who’s got what, and whose hands is in, did they submit it? blah, blah, blah. You know with the right compliance management tool the work is streamlined it’s manageable but if you’re like a lot of the compliance managers out there, you don’t necessarily have all the tools that you need to do things appropriately. It takes a lot of coordination, brain cells, human effort to keep PCI engagements running smoothly and on track. Honestly, for leadership at these organizations, I don’t think they have clue on how many dimensions of hell that their compliance people go through to pull off the annual exercise. But with the right compliance management solution, you can do it successfully. You may even be able to get a good night’s sleep. It is astounding the difference between those worlds.
But what about the people still clinging to their amazingly complex spreadsheet systems, and macros, and homegrown systems? What about those guys? Well, the reality is that spreadsheets are available and easy to learn. They’re also flexible. So you can use macros. You can link multiple tabs to one another. You can make changes on the fly as you need to go through the process. So because these spreadsheets are so familiar, anybody on your team can go ahead and get plugged in and get into the workflow and blah, blah, blah. You don’t have to give them hours of training on a new system or purchase additional licensing when you’re bringing new team members on board. So those are all some of the reasons why they’re popular. Certainly for smaller organizations that are compliant with a single standard, they may be able to get away with a spreadsheet. But we’re talking about… large organizational structures that have complicated, complex security and compliance needs. Under that scenario, the spreadsheets are really doing more harm than good. They present numerous drawbacks that hinder compliance management efforts. So you’ve got issues like security vulnerabilities inherent to spreadsheets, even if you’re whatever password protecting them, those are readily bypassed. You’ve got fragility of the data protection. You’ve got people going in, editing spreadsheets, writing over somebody else’s stuff, copying and pasting a whole bunch of cells into the wrong, information into the wrong cells, possibly blowing away or deleting entire spreadsheets. Particular sheets out of there, if not, blasting columns or rows that they shouldn’t. And one of the big problems in this world is that if you don’t spot the spreadsheet error, when it happens, then now I’m on a wild goose chase for what went wrong and you did what and trying to piece it all together. Meanwhile, the sheets had two, 300 other updates to it in the meantime. Nobody likes to be there. No, that’s not fun. You’ve got usability issues. Certain people will dread using spreadsheets because when you’re dealing with something like compliance management, it’s a continuously escalating level of pain that, in many cases, people just kind of got used to and or it just became the norm that, well, we’re going to be doing what we did last time around, you know, type of thing. So they just go pick up the spreadsheet and start, you know, put the bit in their mouth and pull it. Exactly. You know, you’ve got collaboration issues. So if you’re allowing multiple people to contribute to the spreadsheet, now you’ve got all sorts of version issues and version control problems. I mean, this is the same issue, even if you’re using a shared sheet on SharePoint or something along those lines, you’ve still got the issues with collaboration and people blasting each other and blasting each other’s updates and all sorts of fun stuff.
Project management is one of the biggest headaches when it comes to spreadsheets because a spreadsheet isn’t, it’s not designed to manage a project. It’s a set of data. And so something as simple as whose hands is this particular line item, whose hands is it in? Is it in the person that I’ve requested the evidence from? Did they send it and submit it to whoever asked to review it next? Did they pick it up and you know review it? Did they reject it? Did they approve it? Did it go to the assessor? Did the assessor look at it? Did they reject it? You know, there’s all of these various status points in the continuum of the workflow and right now we’re only talking about one Single individual line item and again you go back to this franchise arena. I have hundreds of line items for corporate loan, let alone the fact that I now have Additional evidence that’s needed across all of the franchise locations you know and I may have you know, I may have dozens or dozens or hundreds of these locations Where I’m managing compliance across. It’s unbelievably complicated, especially in a spreadsheet you know If you’re using spreadsheets for managing compliance either you’re doing it because you don’t realize there’s another option or you’re just a glutton for punishment You know, There are there are a number of other options, you know that people have out there including using their using their assessor systems. Now why is it not a good idea just to adopt usage of your assessor system? Well, a lot of the assessor firms out there. They’ve got their own proprietary, you know systems out there. Well, let me back it up a little bit, why is it not a good idea to use the assessor system? Well Unless they’re already an assessor that leverages TCT portal. We’ve got you know, about three dozen of them that do you know, in that case the organizations could pick up the licensing themselves. There are few organizations that realize that since we support companies going through compliance and the assessors, if an organization decides that they want to pick up the licensing for themselves, they can pretty easily switch the licensing over. But going back to it, a lot of the assessment firms are using their own proprietary system. They view their system as some competitive advantage that they’ve got. And so they want to use their own proprietary system to manage their compliant engagements. And as the organization that’s going through compliance, it makes some sense, right? You don’t have to purchase any software. It may be easier to use than the clunky spreadsheet approach that you’ve been using. But and comparatively it appears there’s a lot of upside, to go ahead and use it. But buyer beware, right? Be aware of the compromises that are being made there. When you’re using the Assessor’s Proprietary Compliance Tool, you lose the notion of having your own organized repository for your own compliance data.
The firm that you’re leveraging is the one that controls the data that you provide to them. And you’re only gaining access by logging into their systems or making a request for some extract of the information. Meanwhile, within your own system, within your own systems and how you store your stuff, etc, oh, you still got evidence that’s all over a hell’s half acre. You know, it’s disorganized, it’s sprayed across multiple drop zones, network drives, file shared drops, emails, etc. And so every freaking single year, internally, you’re starting from a disorganized mess, and then loading it all into your Assessor’s system to go make it easy for them, right? It just doesn’t make sense to do it that way.
The one thing that I would, I’m here to click it or something on your end just so you know. You are. Remember that for, remember that for the organization going through it, that it’s your information, it’s your data.
You own your own compliance information. And yet, the only way you’re accessing it is if you stay with that assessment firm. That’s a lot of times with these Assessor firms at the proprietary software block, that’s kind of part of their stick, right? They’ll put it under the notion that they, oh, well, this gives them a competitive advantage. And yet, they kind of use it as a, kind of use it as a bat to keep the, organizations with them because they don’t want to have to go through the hell of switching, you know, type of thing, you know, but sometimes things happen, you know, sometimes you want to, need to, you know, switch firms, maybe your organization gets a new parent company and they want to, they want to move you over to this other firm, maybe there’s the, your, you know, assessor that you’ve had for years and years and years, you know, retires and the new person is, you know, you don’t like them as much, you know, whatever. If you have the situation where you need to switch firms, then you’re leaving all your data nicely, cleanly, neatly organized on their systems. And sure, you can go ahead and request an export file. But just because you get the export file doesn’t mean you can immediately turn it around and just load it into your next system. It’s in some format. It’s usually going to be like a dump of files and maybe like an Excel sheet that tells you what’s what. It’s going to still be a jumbled mess. While the compliance management tool for the assessor is better than spreadsheets, it’s still got its own limitations.
So what are some of the advantages of leveraging the compliance management system like TCT Portal? Well, for corporate organizations with franchise locations, the TCT Portal is basically an ideal compliance management solution. You don’t have the convoluted issues that you have with spreadsheets. You stay in control of all of your information and data. One of the things that I will often guide particularly the organizations that are going through compliance is, go ahead and at the end of the day, just tell the vendor where you’re going to review this through our system type of thing. At the end of the day, they’re a vendor. At the end of the day, this is your compliance management approach. See if they will leverage your system for reviewing the information and the data. That way, you can keep it all within the one singular system. Certainly, if we do have anybody out there that’s looking for a good assessment firm to work with that we happen to know uses a freaking amazing tool, then we will absolutely go ahead and give good referrals and recommendations to organizations.
But from some of the benefits of leveraging TCT, we get the capability to make PCI understandable. Your franchisees aren’t technical people, generally speaking. They need to send technical inputs and evidence from their stores over to corporate. And so a lot of times they’re asking for clarification and or sending the wrong data to you, which means it needs to now be rejected. And then they need to turn around and resend it, etc. A quick way to, it’s a quick way to slow down progress and put your compliance engagement way behind schedule.
Especially when you’re dealing with these dozens or hundreds of franchise locations, it’s a nightmare. But in TCT portal, we give the organization the capability to provide a plain English explanation of exactly what they need, examples of what they need. I mean, it makes it easy for everybody that’s involved in compliance to do their evidence collection, to do their evidence collection and understand exactly what’s required. You can get the guidance examples all right there so they know exactly what they need, how they can get to it. The quality of their submissions goes way up. In the blown time at the franchise level and at corporate, both of those go south. You know, go south, i.e. improve type of thing. We’ve got the capability for customized certifications within TCT portal.
So there are over 500 different items on a PCI engagement, but your franchisees only need to deal with a small handful of that 500. And if they’re sitting and staring at the breadth of PCI, it can be really overwhelming to kind of wade through that to just get to the stuff that they need to do. So TCT Portal allows the corporation to create that customized data collection list that only includes the items that they wanna dole out to the franchisees written in a way they’ll understand with all. the custom guidance and examples in there, and that list that we can then map back to the corporate PCI engagement behind the scenes. The submitted evidence that comes up against that custom data collection list from the franchisees is automatically passing straight through the corporate PCI track, landing exactly where it needs to be, and nobody needs to mess with it. It’s heavenly, if you will. Status at a glance. One of the hugest problems on seriously complicated engagements, we were talking about it earlier, was just trying to figure out where is stuff at? Whose hands is it in? What status of the workflow is it in, etc. Organizations will blow, burn an astronomical amount of time just trying to figure out where we at. And, I thought you were going to use it, but, you know, but, you know, the coolest part about using a system like the TCT Portal is that status is live. It’s live. I don’t need to, you know, go and spend hours and hours trying to prep for status meetings. Instead, all I do is I go, I log in, I pull up my dashboard and bam, I know exactly who’s got it. Whose hands is it in? Did they submit it yet? You know, did it get rejected again? You know, whatever.
So we’ve got all of these capabilities for live status. We also have the ability to customize up the workflow. So it’s one of the big things that’s kind of unique about TCT. We built this system to meet the needs of the varying types of organizations that we work with. On your franchise tracks, you can configure the workflow so that it works for your business. So if you want the evidence to go from the franchisee to some type of an internal QA department, and or through your internal compliance department before it goes to a compliance consultant, before it goes to your assessor, no worries. We can go ahead and kind of set up the workflow as you would like. That’s such a critical piece because so many of those different organizations are aligned differently, or they have different naming conventions for different roles and the ability to kind of customize that approach. That’s a game changer. Yeah, well, and then on the corporate, so on the franchisee side, they can do all their internal workflows, however they need to or want to. And then on the corporate PCI track, you can similarly set up the customized workflow for your needs as well. You can flow it to your compliance team, which flows to your internal QA team before it goes up to the compliance consultant or assessor, you know, etc. If your assessor’s bolted in, they could flow it to their QA department, you know, and then flow it to complete.
So, you know, oftentimes we’ll give guidance to the organizations, you know, that they actually can have their assessors reviewing the items within TCT Portal, you know, instead of having to use the, you know, the assessor proprietary systems, like I said before, you know, so that’s a huge area. Historical tracking. you know, because of that, we talked about it earlier, the high turnover that’s in the, you know, in the franchise locations, you know, there’s often really spotty consistency from year over year in terms of who did what for PCI. And the, you know, the often, often the assigned person is the, it’s their first time. You know, the big benefit of the TCT Portal is it’s an organized repository for your organization, which means that you have direct line of sight to what files were provided last year, what evidence was provided last year. You can see the screenshots and see what systems they grab, you know, grab the screenshots from that worked, you know, for, you know, last year. You know, it’s clear understanding exactly what’s needed, you know, whether, and we talked about this last time, or sorry, a little bit earlier in this discussion, is it doesn’t matter whether it’s a newbie that, you know, that’s now coming into the compliance arena, or it’s the person that did it last year, but did it 10 months ago and doesn’t remember what the frick they did. You know, if you think about how many people you have on these engagements that are gathering and provisioning evidence, you know, you’ve got, you know, dozens or hundreds of people that are tripping through workflows, making the same mistakes that their predecessors made the prior year, blah, blah, blah, you know, it just absolutely annihilates efficiency, you know, across the, across the entire organization, both for the franchisees and for corporate. You know, in the, in the last element, you know, kind of in terms of the benefits of the, from a portal side of it, is we literally, we got, we got into this space to help people make compliance management suck less.
And so as a result, we priced the, the TCT Portal basically so affordably that it’s a no brainer decision. We’re not trying to go to the Bahamas on the backs of a single organization. We’ve got companies out there that are literally saving tens of thousands of dollars a year and have the capability to streamline their compliance efforts by as much as 65%. That’s massive. That’s massive.
Parting thoughts and shots for the folks this week, Adam? Well, when you’re operating your compliance through something like TCT Portal, do you have one single tool, one single place, one single location where everything happens and goes for your PCI engagements? It is night and day from… the spreadsheet hell from the internal tool, the buckles, you know, etc, the multitudes of drop zones, you know, and, and, and, you know, you have capabilities for a ton of things when you’re leveraging the portal. You’ve got the ability to automate the collection of evidence, spend less time on interruptions and handholding the workflows are streamlined. You get the full breadth of your entire compliance management engagement now becomes manageable. Go figure, you know, I mentioned it earlier that I talked about, you know, I’ve talked earlier on this one and in prior pods about, you know, when we launched the TCT Portal back in 2015, you know, that was, you know, that was basically since that time, we have taken the feedback of our existing clients very seriously. The TCT portal at this point in the game has more than eight years of improvements and efficiency built into it. The way that folks that are struggling with their compliance management should look at the TCT Portal is that you’re going to gain the benefit of all those years of integrated improvements. But if you come on board, you now can be part of the solution. In other words, if you have good ideas for things that features that you’d like to see for managing your compliance engagements, then you can go ahead and submit those to TCT. You know, we’ll integrate your recommendations and improvements into upcoming, you know, functional releases of the platform. So, you know, you literally have the capability and the opportunity to, number one, take advantage of a tool with a ton of capability, but also to… make those suggestions. And the last piece that I’ll say, you know, on this is, for anybody that, you know, that’s kind of, you know, coming into the mix and trying to, you know, trying to get their arms around a compliance management tool, especially for those that are leveraging TCT, I would strongly suggest to them that, you know, ask the TCT team, hey, can your system do fill in blank? You know, we’ve tried to make the interface of the of the TCT portal as, you know, kind of streamlined and easy to use as humanly possible, but it belies some of the, you know, advanced capabilities of this platform. So generally speaking, most of the time when people are saying, hey, can your system do fill in the blank? Our answer is generally yes. And if it’s not, and you know, it’s existing active client, long as it’s good for the overall portal, we’ll go ahead and get it built in.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
