Security and compliance assessors have a lot of chaos to manage. Evidence is coming at you from every direction, teammates aren’t on the same page, files are missing, status is unclear, and you’re spending way too much time entering data into spreadsheets. All this, plus managing your client.
If a client goes rogue or your team members miscommunicate, it can throw a wrench into the project and create extra work and major headaches. Especially as the report deadline nears.
Online Business Systems (Online) is no stranger to the challenges of PCI assessments. Online is an information technology and business consultancy that provides advanced solutions in information security, customer experience, and service management. Their clients represent a broad range of sectors including finance, retail, hospitality, healthcare, energy, and agribusiness.
Handpicked related content: QSAs: Start Running Easier PCI Client Engagements
Navigating the Challenges of PCI Assessment Engagements
We spoke with Online principal consultant Sherri Collis about her experience navigating the PCI assessment challenges to learn how the Online team has mastered their processes. Here’s what she told us.
TCT: Tell me about your role at Online.
Sherri Collis: I am primarily in the PCI practice, although I’ve done some ISO 27001, Trusted Advisor Consulting, NIST 800-53, and DPR. My role as our company’s primary contact with TCT is to get us a tool that works for our team so that we can do PCI, 27001/2, 800-53, or GDPR assessments and manage the process more easily.
TCT: What are the biggest challenges for most QSAs?
SC: You’re using one set of tools to gather evidence and manually inputting everything into another tool—like Excel—and you don’t have good reporting. You go to a client site and do a lot of different interviews, and you’re capturing evidence and information, and you don’t have a tool that then produces a report.
You may have two or three people doing an assessment for a large client. Each of you is taking notes in OneNote or Word or an Excel spreadsheet. Then you combine them all and try to keep everything together and keep everyone updated on current information and the status of the client—all of those things are extremely difficult.
I’ve done reports in excess of 500 pages, so having a tool that lets your team collaborate and do reporting is extremely helpful. But some assessors are doing it with Excel, and that presents its own challenges.
TCT: What’s wrong with Excel?
SC: Excel doesn’t let you generate the reporting you need when you’re done with your process. It’s a lot of manual work, and it’s difficult to share the data among QSAs without duplication and missed notes. Once the assessment is completed, QSAs then have to manually take the client’s information from Excel to enter and format it into the required Word report.
TCT: How has TCT Portal improved client engagements?
SC: TCT has been such a timesaver for us. Our job is extremely complex, and we’re not accustomed to having any kind of a tool that will produce the report that we have to create. With TCT, we can collaborate on an engagement with other team members with a single tool that we can all use simultaneously. We can check the client status and know where we are in the process. TCT Portal also lets us push things back and forth between people working the account — including having the client work with us in the tool.
Once you enter all the information in TCT Portal, you click a button and it generates the Report on Compliance. Multiple people can contribute to the same report. When you’re done, you click a button and you’ve got the report generated for you.
I just recently did a merchant assessment for a top Fortune company, and we had to do it without TCT. I was reminded how difficult it is to perform an assessment without any automation. I’ve had clients with 1,100 documents as part of their assessment. Imagine having to type 1,100 filenames. With TCT, you don’t have to do any of that.
And most importantly, when we need new functionality, the responsiveness of TCT is like having a developer on your team. They have such amazing customer service. I’ve worked with them throughout the evening, and even had responses from them at 10 or 11 o’clock at night.
Bonus: Learn more about TCT Portal
TCT: Any advice to other auditors?
SC: Once you start using TCT Portal, you don’t want to use anything else, because it provides capabilities that don’t exist within Word and Excel. If I were a merchant or service provider, I would ask my assessors to use TCT Portal and put our information into the tool. It would be really handy for any person who is managing compliance to be able to use the tool.
TCT: Thanks for your time, Sherri!
Quit Fighting Against the Chaos
Tired of struggling with the chaos of client assessments? There really is a better way. TCT helps streamline the compliance management process, so you can focus on providing your expertise—not wasting time spinning plates and performing manual processes.
TCT Portal is your all-in-one compliance management software tool for organizing and tracking all the moving parts of your compliance assessments. The web-based application combines automation with deep compliance expertise to give you a powerful tool that takes the chaos out of your client engagements.