Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.

Show Notes: Easier Management of PCI 4.x with the TCT Portal

Listen on Apple Podcasts
Listen on Google Podcasts

Quick Take

Regardless of what version of PCI 4 the council decides to roll out. QSA firms and individual organizations alike can benefit from having a compliance tool where all of their evidence is in one place, that provides a full access to the required team members.

Curious about INFI tables or CCW’s? Have no fear the TCT Portal has you covered there as well.

Questions on formatting and reporting? Rest easy, the CU guys will lay out exactly how to tackle that challenge and more, on this episode of Compliance Unfiltered.

Remember to follow us on LinkedIn and Twitter!

Read Transcript

So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.

Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the Ranchero sauce. To your compliance, Chimmy Chong, I missed you, Adam Goslin. How the heck are you, sir? I’m good, that sounds like fun. If you do it right, today, we’re going to talk about how to do it right. As a matter of fact, easy your management, sir, of PCI4 with the TCT Portal.

Now, this is a topic that I know is near and dear to your heart. Tell us more at a high level why companies struggle with managing compliance, and specifically, why PCI is so daunting. Well, a lot of organizations, for many of them, that are managing PCI compliance, managing fill in the blank compliance, it’s a frustrating and painful manual process. Typically, you’ve got these clunky spreadsheets, multiple methods that people are using for submission of their information to you. I’ve often talked about, back in the day, oh my gosh, I used to get evidence coming in through email. I’d get evidence getting put onto, I’d tell everybody, hey, go put it into these folders in this location. Well, that’s, That’s great that I told them that, but then I get an email where they plopped it somewhere else onto, maybe on the same file server, maybe on a completely different data repository. I’ll have people dropping by my desk to tell me that they wrapped stuff up. I’ll have people flagging me, oh, in the hallway, oh, guess what? I got those three things done that, da, da, da. It’s like, how in the F am I supposed to remember all of these things, people? I’m walking into a meeting and I’m trying to write a note, oh, yeah, Mary got her three things done, blah, blah, blah. Now I got a note that comes into the mix with information and da, da, da. It is absolutely effing horrifying. teams dealing with clunky communication, multiple platforms and a general sense of disorganization and chaos, nothing simple, everything takes longer than it reasonably should. And you look at something like PCI, it’s a big framework, just all on its own, let alone layering over with a kind of a thick swath, all the additional normal manual mayhem and you basically have a, you’ve got a situation that’s custom designed for compliance, nightmares, high turnover and all sorts of fun stuff. So, you know, with the deadline for PCI for approaching quickly, anybody that wants to produce an AOC needs to be, needs to get their 321 wrapped up by 331 because of as of April 1st and no, it’s not an April Fool’s Day joke, you know, then you have to go ahead and put it on PCI for paperwork.
I’ve actually had a lot of conversations with, you know, various folks in the assessor space that they are just absolutely getting their butts handed to them right now because everybody under the sun wants to go ahead and pull forward, you know, their date was gonna be, you know, whatever May, you know, or something and they’re wanting to get a 321 wrapped up by 331. So there’s a lot of stress out there in the marketplace and all that fun stuff. But, you know, honestly, with PCI, you know, coming down the tracks and no way of stopping it, you know, there isn’t a better time to invest in your compliance management software and certainly one that’s basically built to eliminate chaos, streamline complex compliance engagements, etc.

TCT portal was designed from the get go to simplify. compliance management for massive security frameworks like PCI DSS. We’ve got a suite of tools and capabilities for PCI V4X. The use of a compliance management portal, certainly, PCT portal is near and dear to our hearts, but a compliance management system will eliminate hundreds of man -hours a year across your team and internally, if not thousands to be frank. So, you know, we can, you know, you can rest assured that there’s, you know, that there is light at the end of the tunnel and it is not that train that’s coming down the tracks. Sure. Now, getting into some of the TCT portal features specifically for PCI V4, tell us about the MP support specifically here. Sure. So with PCI, with PCI for there’s a new aspect, it’s called items noted for improvement. And as anyone that’s been around PCI for a minute or three, you know, knows they love their acronyms. So that’s short form to an infy worksheet. So the infy gives the QSA the ability to flag items that required improvement during the assessment. So, you know, rather than just kind of brushing it, you know, kind of brushing it under, yeah, now it’s done. Instead, the methodology is if there were tweaks or modifications that, you know, were identified and needed to be performed midstream, that way that reality can be captured through those infy worksheets. So there’s the infy worksheet is, again, additional paperwork that needs to get filled in, you know, and if you’re using, you know, manual processes, these worksheets are just another fine opportunity for more work and longer hours. So the TCT portal has native support for the infy worksheets. You know, the software will automatically generate the paperwork at the end of the engagement with a click of a button. So, you know, all the information is captured as you’re going through the assessment. TCT portal will automatically, you know, pull it into and format it to the infy worksheet for generation when you’re going through and doing your report generation. Well, here’s what I know our clients love.

Automated reporting, right? Tell us more about that. Sure. So, yeah, the clients do love that. You know, I guess the one thing I wanted to mention is we’re talking about PCI4. You know, the listeners, you gotta remember, like this PCI4, the first iteration of it, it’s been out for a long time, you know, and TCT. We have so many organizations that depend on us for PCI related content in terms of the use of the TCT portal. The day after they publicly released PCI4, we had it up and onto the platform. So we don’t mess around with, you know, getting our customers taken care of, getting them things that we know are important quickly, etc. And one of the things that the customers love is the automatic report generation. You know, with every new major update to PCI, you know, the total number of items for either self -assessment questionnaires or reports on compliance increase. And, you know, PCI4 has even more information than ever that needs to get filled in for reporting. You know, normally for organizations that aren’t using a compliance management system like TCT portal, that’s gonna, again, add more manual hours to your engagement and more overtime for your team and additional stress and all that fun stuff. So, you know, with TCT portal, the documentation side of it is literally generated with a click of a button. It doesn’t matter if it’s a report on compliance, an attestation of compliance, a self -assessment questionnaire, literally just go punch a button, say generate my reports. And you go walk away, wait till the reports are done and both are finished. You know, all of the required information for the reporting is coming straight out of the portal. It’s automatically populated and formatted in the right spots on a fully formatted report. This goes onto the paper from the PCI council, which is one of their requirements. You don’t have to make manual adjustments or edits or format them, you know, etc. And, you know, the, the, the capability to just punch a button and put the reports come out, especially for those that are generating those reports is an absolutely enormous time saver, as you’re going through that process. So it’s pretty cool watching the light bulbs go on for the folks that we talked to about the capabilities of the kind of TCT portal, and specifically as it relates to the upbound reporting, it’s fun watching those light bulbs and whatnot go on.

No doubt. Now, what happens when an organization is subject to more than just PCI? So in that case, you know, the TCT portal, you know, the TCT portal has the capability to provide, you know, mapping across a multitude of frameworks. So, you know, keep in mind, we named the company appropriately. It wasn’t called the PCI portal. You know, it wasn’t a HIPAA portal. It wasn’t an ISO portal. It wasn’t a SOC portal. You know, the name of our company is Total Compliance Tracking, which means that, you know, we have today, north of 150 different certifications and standards that are already built into the tool, all of which can be mapped to one another, you know, within the system. You know, when you are uploading evidence into, evidence to your, you know, PCI DSS track within the, you know, within the system, the portal has the capability to be configured to automatically apply that evidence to other related certifications based on the requirement mappings. So by the time that you’re done with PCI, you only end up having kind of the leftover requirements, you know, on those secondary, on those secondary tracks, you know, kind of leftover, if you will. The TCT portals, cert mapping capabilities, you know, they basically optimize the amount of time that you have to spend collecting information, you know, mirroring that across your various certifications. You know, load it once, use it many, that eliminates a ton of redundant effort that where, you know, teams would otherwise be manually transposing their evidence, you know, from their PCI track to their, you know, HIPAA track or their PCI track to their ISO track, etc. You know, it just, you know, absolutely streamlines the blazes out of, you know, out of, you know, being able to take the best advantage, you know, of the capabilities of the system to put them to work for you. Well, PCI version 4 also has a new capability, right, to support a customized approach. Tell us about that feature. Well, the customized approach, you know, is a new one for, for PCI v4. It would typically apply to larger, complex organizations that have an established approach that meets the intent of a particular control, but they may not have implemented it. according to the letter of the PCI law. So this customized approach allows organizations to show they’re meeting the intent of the requirement, you know, with the approach that they’ve taken. But in order to do so, they’ve got to generate a customized approach template. And our system is already configured so that if the organization wants to use customized approach, they can capture all of the sundry data points within the TCT portal. And again, when you punch the button to generate your outbound reporting, if you’ve used customized approach to be able to meet any particular requirements, then the system will automatically go ahead and generate your customized approach templates, you know, and whatnot, and fill all the information in appropriately on the outbound reporting documentation that you need to have. All right, that’s awesome. Now, different companies have different circumstances, right?

So talk us through kind of the customized workflows that are offered. Sure. So, you know, it’s the one of the nicest parts about the TCT portal and the way we built it is that, you know, it’s not forcing organizations. Like one of the big challenges is that, you know, some of these tools will basically say, here’s how we’re doing it. You, Mr. and Mrs. Customer, can now go adjust all of your processes and procedures to meet how we think it should be done. And instead, we wanted to build a system that would not force an organization to adjust their way of doing things in order to fit our, you know, our tool, but that it’s flexible enough to, you know, be able to drop into workflows that you’ve already established for your organization. So, you know, one of the nice parts about a compliance management tool is a multitude of people can be working on the same engagement simultaneously. and with an engagement as large as PCI, the more that your team can work concurrently, then the more you’re streamlining your overall engagement and speeding through the process, etc. So some examples, each person on the team, they can go through, manage and update their assigned tasks simultaneously. Dozens of people can be submitting evidence simultaneously, adding the written explanations and evidence attachments for review. Assessors can simultaneously be checking on progress, responding to questions while the clients are actively using the system, starting to do their reviews and pushing things toward QA or pushing things back down to their customers with comment. The assessor’s quality assurance department can be doing their own work. You know as each item is it is completed. They don’t need to wait until everybody’s done And then it’s a holy moly, you know a fire drill For QA to get their stuff done because the client really, really, really, really wants to go get there You know get there get this all wrapped up So, you know, it’s it we’ve got a lot of capability in terms of you know in terms of workflow features within the system as well While speaking about features finally one of the most helpful features. Tell us more about operational mode Adam Well, you know in the grand scheme of things when you’re using a compliance management system No matter what the, the year that you are transitioning to a compliance management tool, you know, etc You know doing it again manually, etc. It’ll take you less time with a compliance management tool You’re gonna say save a bunch of hours and whatnot even on your first year run But really where the largest benefits come in is your two, two plus You know and that’s really where what we call the operational mode of TCT portal comes into play And for the record and this is something that they’ll say at this point in the game We’re not just telling people hey, you want to know it’d be a brilliant idea is use this super cool tool called TCT portal Total compliance tracking the organization uses this tool to manage its own compliance. We do it Why because it’s a because it’s a smart idea and it saves us a ton of time You know, so we run our We run our annual engagement in operational mode Which means that you know, once you’ve gotten through and you become certified in PCI You know, there are dozens of activities that need to get done You know related to compliance all year long. Maybe it’s a daily weekly monthly quarterly or semi -annual past There’s all sorts of stuff that needs to get done all year and the portal will help to stay on target for what they need to get done. Automatically assign and remind people on your team about things that they need to have completed. You’re no longer overlooking or forgetting items that need to be done. That was one of the biggest problems that I was running into at the back end of engagements is some client going, geez, I forgot to do fill in the blank, type of thing. So the time savings for organizations going through operational mode is absolutely freaking huge. And on top of that, as a company, as an organization, as a member of leadership, you’ve got assurance that we are doing the things we’re supposed to be doing. We’re doing them when we’re supposed to be doing them and maintaining our compliance all year long. That way, when I’m coming up to the annual assessment, I know that I’m not gonna have some type of a crap show of… You know, jeez, I forgot, and I don’t remember where I put this evidence, and, and, and, you know that you’re buttoned up. You know you’re ready to go. You know, you can walk into that, the end of your annual assessment, you know, with confidence.
You’re not gonna get blindsided with really unpleasant surprises.

Parting shots and thoughts for the folks this week. You know, you wanna make sure that you’ve got the right tools. You know, TCT portals, PCI capabilities, make our compliance management solution a standout option, you know, amongst those that, that people have. You know, our clients, you know, that leverage the TCT portal long enough to clearly understand those, those benefits, literally become customers for life. You know, they take, it’s, it’s, it’s awesome. Watching, watching things unfold, but, you know, we’ve got people that will leave one organization, go to another, introduce their new company to, hey, have you heard about TCT portal and, you know, and blah, I used this at my last place. It was a, it was a gigantic time savings, you know, tool, you know, type of thing. So they’ll carry us from job to job to job. You know, when we, when we go and we’re at, you know, the PCI conferences, there’s people literally that walk in, they’ll walk in the door and they’ll come across the vendor floor straight up to our booth, you know, hey, hey, I just, I needed to talk to you, you know, it’s just, it’s really, really cool seeing it, you know, seeing it go. You know, TCT’s clients are freaking great. They’re often the best, you know, kind of referral and sales resource that we have, you know, because in many cases they’re referring us to other people, you know, with, with a level of enthusiasm that sometimes surprises even us. So, you know, and, and the, the customers do that, you know, because they realize that, you know, total, clients tracking the organization truly cares about our users and our client experience. The support capabilities and customer responsiveness are unmatched in the industry.

Most of our support tickets are typically closed in a few business hours of their being open. The reality is, is trying to manage PCI compliance, it really can suck. It’s complex. It’s enormous. It’s super painful to get through. However, when you use the right tool, managing that compliance can certainly suck a lot less.

And now right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered.

I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.

KEEP READING...

You may also like