Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Managing Compliance In the Retail Space Seriously Sucks
Quick Take
On this week’s episode of Compliance Unfiltered the CU Guys chat at length regarding the challenges of managing compliance in the retail space. *Spoiler Alert* It sucks.
Curious why it’s so tough? Wondering how organizations can adapt and overcome? Hoping to find some strategy to help you combat your challenging compliance issues?
Well, you’re in luck – All these answer and more, on this week’s Compliance Unfiltered!
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the Zamboni to your compliance ice rink, Mr. Adam Goslin. How the heck are you, sir?
I’m doing great today, Todd. How about you?
Man, I can’t complain. I really can’t.You know, we’re going to talk about something today that hits home for a lot of folks, and that is for those in retail, and we know you’re going to be nodding your heads here, managing compliance seriously sucks. Now, Adam, you’ve been involved in compliance management engagements as a participant, as a consultant alongside assessors, and even done a level one PCI rock quality assurance before. At a high level, why is the retail environment so challenging?
Well, I mean, running PCI, you know, running a PCI engagement, I mean, everybody’s going to be nodding their heads on this one. Just just try to run a PCI engagement for a single organization with a relatively simple scope is, is, uh, has carried its own plethora of challenges.But, you know, when you’re running, you know, when you’re running a PCI style engagement or any compliance engagement for a, like a national retail chain, it’s, it’s a, an exercise in barely organized chaos. Um, you know, managing compliance means it’s a hundred, it’s isn’t like five fives of hours or tens of hours. We’re talking about hundreds to thousands of hours across, like, across you, your, you know, your, your direct team, you know, your other participants, etcetera, I mean, there’s literally thousands of hours getting blown, you know, hunting down evidence and cleaning, you know, cleaning up after, you know, different kind of permissions issues and nagging people to get their stuff in and having to coordinate with a really, really broad, uh, spectrum of, of folks that are involved in the overall process, uh, you know, explaining again and again and again to, you know, such and such or so and so’s manager, why, you know, the, the compliance spreadsheet, you know, uh, shouldn’t be in last year’s folder, you know, and, and, and, and, and, um, you know, the, the, the role of the, of the person that, that heads up the, the compliance engagement, it’s critical for the organization, but it is an absolutely daunting exercise. Um, you know, every new store and, you know, every turnover in the field and every missing piece of evidence is, you know, turns, you know, turns something that, you know, should be, uh, you know, kind of straightforward process into just a, a fractured mess, uh, you know, across the, across the organization. I mean, you know, the folks that are listening to this and nodding their head because they felt the pain before. And, you know, honestly, you see the pain first, firsthand, if you’re going through it, you see the pain, uh, you know, uh, in a, in a secondary manner, if you’re a consultant or an assessor, whether you’re, you’re, you’re poor soul, that’s the primary contact is, is dealing with it. Um, you know, but it is a common story in, in retail, uh, you know, that, that it is an astronomically, uh, you know, challenging environment. It’s just, there’s a, there’s a lot going on there.
No doubt about it. Now, set the stage for the level of chaos that actually unfolds in these retail engagements.
Well, I mean, one of the biggest problems is that you’ve got, you know, you have a set of information. It depends on how the organization’s set up, but you know, you’ve got a set of information you need to collect to cover corporate. And then each of your individual outposts or stores, they have their own sets of evidence, information, validation, etcetera, that need to be gathered. So, you know, it doesn’t take long.And your, your PCI engagement is, is getting astoundingly complex as you’re trying, you’re trying to coordinate the activities with, uh, you know, your own team, yo, your own compliance team, all the people at corporate that are busy gathering, garnering, grabbing evidence, etcetera, putting it in the right spots, hurting all those cats. And then you’ve got, now you’ve got what? 10, 20, 50, 200, you know, different sub-locations, uh, you know, that, you know, that have to go ahead and provision their evidence. Oh, it’s astronomically challenging. You know, you get to, you know, corporate alone, you know, they need oversight over the compliance program, you know, each individual, uh, outposts or, or retail location only needs to gain access to their information. So now we’ve got complications with who should be seeing what and how do they, you know, how do they see it? What do they have access to? Is it just going to be overwhelming? Cause they log in and they see a billion things, all that fun stuff. Should they even be seeing it? You know, you know, type of a deal. So, you know, all of these, all of these complexities make it a real challenge to, to be able to manage a program with, you know, with this kind of scale, you know, you think about the, the normal, you know, kind of the normal organization where they’ve kind of got corporate, maybe a sales office or something. It’s on an entirely different scale when you hit, when you hit retail, you know, just because you’ve got such a broad spectrum of scope, you know, for, for these engagements, you know, you, uh, it, it takes an absolute ton out of the people that you have the unenviable joy of trying to try and to wrangle those cats.
Sure. Speaking of, what are some of the specific challenges in the retail space?
Well, you know, it comes in in several fold, you know, they, you know, there’s, there’s things that are going to kind of pose issues and problems for, you know, for the overall team at any organizations in the, in the retail space, um, you know, first of which is just trying to track, uh, you know, trying to track everything. We just talked about, you know, whatever, if it’s a corporate location and 200, you know, 200 outposts, you know, if you’re managing all of this stuff for a lot of these organizations because of the fact that PCI has been around for a minute or three and, you know, many of them are, you know, they’re using manual process, manual procedure, spread sheets to hold all this together, you know, within this either manual or semi-manual system, you know, you’ve got, you know, you have to have, you know, manually established storage locations for who’s going to put what, where you’re manually checking the status of, you know, each of your items, you’re manually, uh, you know, evaluating the evidence. You’re manually following up with people, you know, every single time that you go and wrap up, you know, this year, you know, in the retail arena, you know, you wrap up your quote annual engagement, right? It’s probably several, at least several months, if not, you know, maybe six to eight months of the year, just trying to get through that, you know, through that main, you know, kind of main engagement, um, you know, by the time that you get it wrapped up, you’re going back in and having to go and establish, well, next year’s stuff, uh, it’s like you can never get off of the, off of the, uh, merry-go-round that you’re basically, you know, you’re just tacked to, um, you know, that you got to go in and establish all the new storage locations and oh, now I got to go and gut and re, and reform all of my tracking spreadsheets and, you know, and, and, and so now I’ve got to go in and basically overhaul the entire program to go set it up for next year.Um, you know, manually, you know, going through access control for who needs access to what and setting all of that up, uh, you know, you’re, you’re moving information, you know, through manual consolidation as you’re, as you’re going, um, there’s very, very, very likely, um, dozens of different places. People were, you know, cubbyholing, you know, evidence and whatnot as you’re going through the, through the engagement. I mean, anybody that’s been in the compliance arena knows the pain of, you know, of basically having, you know, telling everybody, Hey, go put your stuff here. And then sure enough, they’re sending you text messages with updates or they’re, you know, they’ll drop it in some place they had access to and send you an email and say, by the way, my stuff’s over here, you know, type of a deal. It just never freaking ends. Um, you know, then you’ve also got a, another problem with, you know, with, with the, in the manual arena, you know, you’re in, you know, the very, very likely could be that your QSA has their own place that they want you to go put everything to etcetera.
So now that we’ve gone and collected all this information up and it’s, you know, got it all, you know, in its right spot and it’s organized and we’ve gone through it and vetted now I got to go move it all over to the assessor, you know, type of a deal. It’s a, it is a tall order for the, for, for, uh, you know, got to comply, you know, the compliance personnel, uh, to fulfill that role, certainly a tall order for any type of a, you know, any type of an automated system, uh, you know, that can, you know, that can provision some assistance, you know, you go, you know, the next arena where, you know, where the challenges come into play is the, the access control, which I touched on earlier, you know, not only do you have to manage and maintain this overall organized compliance program, um, so that it runs smoothly across all of this complexity, but, you know, and then you need to make sure each location only has access to the stuff that they need.Um, you know, so if you’re following role-based access control, you know, then you need to be able to confidently know that, you know, the right people are seeing the right things in, you know, in the midst of all of this, you know, you’ve got, uh, a lot of effort, um, to basically be able to, to do the management of the, you know, of the, of that access control, uh, you know, in and of itself. So, you know, the, the, the effective, the desire for effective access control is creating dysfunction as you’re trying to, you know, move through this, you know, through this manual system.So, you know, as you’re going through and you’re creating these drop zones, right, for each of the, each of the store locations, well, now I’ve got to go in and I’ve got to portion the right permissions to each of the individual locations where they’re dumping their stuff, you know, etcetera. And, you know, you’re creating, you know, hundreds of, you know, different places for people to go in and put stuff, each of which has its own, you know, its own access control associated with it, you know, and every single time that you’re creating, you know, more drop zones than you’re having to go in and, you know, go in and, uh, you know, reconfigure, you know, the, the permissions as you have turnover within that environment.Um, you know, it’s, uh, it’s, it’s absolutely painful, uh, going through and having to continue to, uh, change, re-change, swapping out Mary for Bob, swapping out Frank for Fred, swapping out, you know, Andrew for, for Madonna, whatever. And you’re going through all of this of these machinations and having to constantly do redo, redo, retrain, you know, all that fun stuff. It just, it gets, it gets astronomically, um, painful as you, as you’re going through that process.
No doubt about it! Now, what are some of the ways that the TCT portal helps these folks in a big way?
Well, as you get in and you start, you know, dealing with, um, you know, the, the, the poor souls that are, you know, in the retail arena, you know, we, we have them come to, come to TCT cause they’re fed up with, you know, being in this continuous, never ending, uh, saga of, of ineffective management of their program. Um, you know, they, they, they explained to us that just how challenging it is to hold the program together, how many hours and hours and hours and blood sweat, tears and, you know, lost sleep and da, da, da, it takes to be able to just hold all of this crap together. Um, you know, and then, you know, a year later when they’ve gotten through their, you know, their annual, you know, their annual assessment, when they use the TCT portal, they’re, they’re finally breathing, you know, breathing a sigh of relief. You know, we, we see an active change in their demeanor.Um, you know, they, they, they expressed to us that they finally have the capability and the capacity to do meet the meaningful aspects of this job, not the menial ones, um, you know, the, the portal was able to offload, you know, thousands of hours, uh, you know, from them. So, you know, the, the, the main objective of the TCT portal, I said it, and I said it back in the day, we, we hold the mantra to date, you know, it’s making compliance management suck less. Uh, we’ve been doing it officially since 2013. We’re not going to stop, but you know, implementation of the portal alone has the capability to drop that manual effort by, you know, by up to 65% on these engagements.I mean, we can’t, there is no magic bullet that’s just going to cure everything. I don’t need to do anything. Um, you know, but we’re sure going to take a valid shot at trying to offload, you know, a lot of that pain and time. And you, you take that 65%, sounds great, you know, even for a normal engagement, but you take the complexity of a retail arena, dude, it is, it is way different, you know, scenario. So some of the things that, that we’re able to do and that you can get out of technology, um, you know, as you, as you step into the compliance management space, um, certainly straightforward streamlined evidence submission is one. So, you know, as you, as you go and you deploy a system like the TCT portal, what I tell people is I say, look, get everybody trained, tell them there’s one place that you’re going to go put your stuff. I’m not going to take it through a text message. I’m not going to take your update in the hallway. You don’t put it into the system. Then I am not going to be, you know, I’m not processing it, you know, etcetera. Get them trained to be able to use the system of record because, and there’s several reasons why it’s astoundingly important that they do that. One for the sanity of everybody involved, you know, using this one consolidated location, um, you know, is, is important, but secondarily, you then have that clear, clean, crisp repository available for next year.
Go ask anybody in retail, how many people are turning over, uh, you know, year over year on your evidence submission team and, and they’re all chuckling right now, but it’s a lot. And so, you know, you don’t have to go in retrain, retrain, retrain. If I have a solid repository of exactly what worked last year that Mary got it last year, but now Frank’s taking over that type of thing, then now I’ve got a rock solid repository that can go look at, um, you know, another capability in terms of the streamlined submissions is that we have the capability to, to load up, we call it document request list, you know, within the system. But, you know, basically you can load up your own customized list of to do’s, um, you know, in words that make sense to your staff in terminology that makes sense for your organization, uh, you know, etcetera, and it’s literally, it’s written in a way they understand they’re able to very readily go in, process these items, produce what you need, you can even give them examples, things along those lines. So, you know, you can go through that document request list, request each element of evidence once, and then go ahead and map that over to the appropriate destination, wherever that may be. So you don’t need to have them answer the same question with the same evidence three times or five times. Instead, they can supply it once and we can go ahead and, you know, kind of do, do the mapping. Um, you know, it also assists with elimination of confusion and rework because you’ve got the document request list for your specific organization. You know, now you can put in instructions in ways that they, uh, they know and understand, um, you’re not reading, you know, kind of no offense to the PCI crew, but a lot of times for the business folks, it doesn’t make direct sense. Um, you know, they’re not trying to read PCI lingo and interpret, interpret the techno babble, um, you know, instead what they’re doing is they’re, they’re seeing the stuff in, in ways that just make them more efficient. It eliminates questions. They don’t have to come back and ask. They don’t need that, you know, comprehension issues, etcetera. Um, you know, the TCT portal also makes it astoundingly clear who’s assigned to what each item within the system is assigned to a specific individual that, you know, it’s, uh, you know, you’re able to, to, you know, go in and, and identify who has which items, which means fewer questions around, you know, where do I, you know, which items do I have again? Uh, you know, did I submit this one to you statuses are all automated, etcetera. So it just makes the entire process, uh, you know, a lot more streamlined given the fact that we can provision even evident, sorry, not evidence, but examples of the evidence that they’re looking for, um, you know, now I’ve got fewer resubmissions that are needed because they send in the wrong thing. Um, you know, personnel can self-serve and, and, and get the answers to their questions. So, you know, you’re just able to automate a lot of the back and forth kind of heavy communication lifting that ends up happening.
You know, we, we kind of pinged on, you know, access control, you know, as we were talking about some of the challenges, but you know, what you can do within the, uh, within the technology and within the TCT portal, I can assign each item specifically to the right individual, if you’ve got a group of people to be, there’s two people or three people on a team, any one of which could provision the evidence. You can go ahead and assign it to three people, you know, simultaneously. So, you know, you’ve got the ability to really assign the items to the right people very specifically, or in these, you know, kind of in these groups. And, you know, while the, the, you know, we talked about this request list earlier. So what I would do is I would face the request list to the front liners, um, so that they can go ahead and work through the request list. However, the compliance team, they’re able to see each individual location’s request list, they’re also able to see how those request lists are mapped kind of over to the target engagement. So if each location needs its own separate self-assessment questionnaire, then that evidence could map over and into each location’s self-assessment questionnaire, corporate’s information’s mapping down and similarly laying over that questionnaire, the compliance team has seen both the request list and the questionnaire or the rock if it’s rolling up to corporate, whatever. But the bottom line is that the frontliners are seeing what they need to, the compliance team has global oversight, etcetera. Everything, everything’s in there, everything’s live. It’s probably one of the biggest challenges when you’re on an engagement of this complexity is just being able to tell, where’s everything at? Have they submitted their stuff? If so, did I pass it through and I move it? Is it basically the sign of the cross blast that can move on or do I need some additional elements or did they completely miss the mark? That type of thing. So all of that status information is live within the system. I’m not updating spreadsheets or trying to hunt down 12, 18 different locations where they possibly put stuff. So you’ve got that capability. When we generated and kind of conceived of the TCT portal, the intention was never that we were gonna make a system that the users of it could then basically try to use a hammer, an anvil and try to basically pound their compliance program into the tool. But instead generating a tool that mirrors and matches the desired workflow of the target organization. And so that’s the way we designed it kind of from the ground up. So quite honestly, it’s been a while since I’ve had somebody come up with a new inventive thing that they would like to see in terms of how they want data to flow that the system can’t handle. But probably the coolest part about TCT is that from the very start, and this is how we’ve kind of just continued to grow and grow is that we listen to the customers, we listen to the clients, we take their input, take their feedback, integrate that back into the platform.
So for anybody, I mean, the TCT portal has been up running for over a decade. For anybody that’s coming and stepping into this space, they’re literally using a tool that just battalions of security and compliance professionals have been literally leveraging, using, providing input on, making better for the last decade. So it’s a pretty, pretty cool process. The other thing that I’ll say kind of enclosing on the whole, how can the portal help, is that while there’s a lot of organizations that they’re just seeking a tool that they can use for themselves, the coolest part about the tool is that with the capability for dynamic workflows, etcetera, we can also integrate, if you’ve got security and compliance consultants, if you’ve got vendors, if you have to go through a third party assessor engagement, then you’ve got the ability to integrate them into the workflow as well. So now you don’t have to use multiple, kind of multiple tools, etcetera. If for a lot of organizations, they’ll work with their assessors to leverage the portal. And then that gives them the ability to just workflow the evidence straight through to their assessor.
Well there you go. Parting shots and thoughts for the folks this week, Adam.
Well, at the end of the day, we were just talking about how you can do the workflow, flow things through to your assessor. I was having a conversation with an organization literally earlier today, and I was saying to him, I’m like, look, you guys tell us, you guys tell us what you want. At the end of the day, I have seen organizations that at the end of the day, the assessor is a vendor to your organization. And so I’ve given them the advice, hey, look, talk to your vendor and see if they can go in and leverage the, maybe they’re already leveraging the TCP portal, which is cool, but if your assessor isn’t, then just go ahead and show them the tool, show them how you can integrate them into the workflow. Make it easier on your organization. Certainly, if I’ve got organizations that don’t have an assessor that doesn’t happen to be using the TCP portal, but they really wanna take best advantage of the capabilities of the platform, there’s no question that being able to run the stuff straight through to the assessor through the tool is the optimal way to go about doing it. We would gladly give you an intro to any of the dozens of assessment firms that leverage our platform. We’d be glad to go ahead and do that for you. The reality is that retail organizations can really achieve an extremely efficient, customizable, user-friendly solution to their problem. And I really look forward to watching the relief on the faces of the poor folks that are involved in this process, because honestly, I am not envious. I’ve been through some pretty complicated and pretty tough engagements. There is absolutely zero question that those engagements where you have multiple, either dozens or hundreds of outposts that need to provision evidence in coordination with a corporate entity, I mean, it is astoundingly challenging. And using technology to your advantage gives you the ability to consolidate all of this, get live statuses, streamline effort, reduce pain, blood, sweat, tears. It’s really a night and day difference from where you’re at to where you wanna go. And the one thing that I encourage organizations to do with TCT is just open up. What is it you’re looking for? How do you want it to work? What options are you seeking, etcetera? You don’t have to be stuck in this kind of manual madness that you’re going through day in and day out. We do strive to make compliance management suck less, and that’s what we aim to do for folks in the retail space, for sure.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
