If your corporation uses a franchise model, you have tremendous complexity to deal with as you navigate PCI-DSS compliance. Truthfully, my heart goes out to any compliance manager who is desperately trying to keep the engine running while holding it all together without the right tooling and only with the sheer will to somehow survive the annual compliance cycle.

There’s a lot of complexity in trying to manage PCI-DSS engagements. Not only do you have all the challenges of managing compliance at the corporate level, every one of your franchisees is its own silo that you have to coordinate with.

A lot of the challenges come down to coordination and orchestration of the overall engagement, making sure people know what’s needed and when it’s needed, managing or wrangling the evidence submissions and their associated status. 

With the right compliance management tool in your hands, the work is streamlined and manageable. But if you’re like many compliance managers, you don’t have the tools you need to run your engagement effectively.

It requires a tremendous amount of coordination, brain cells, and human effort to keep your PCI compliance engagements running smoothly and on-track. But with the right compliance management solution, not only can you do it successfully, you can even sleep well at night.

Let’s look at a few compliance management options at your disposal.

Get TCT’s complete guide to PCI DSS Certification

Advanced Spreadsheets for Managing Compliance

Spreadsheets are ubiquitous and easy to learn. They’re also flexible. You can use macros, link multiple tabs to one another, and make changes on the fly as your security/compliance program — or the number of franchises — grows.

Because spreadsheets are so familiar, anyone on your team can immediately get plugged into your system and quickly fit into your workflow. You don’t have to provide hours of training or purchase additional licenses when new team members come on board.

For small organizations that are compliant with a single standard, spreadsheets may be able to provide the functionality that’s needed. But for large organizational structures that have complex security/compliance needs, spreadsheets may be doing far more harm than good.

Spreadsheets present several drawbacks that hinder your compliance management efforts. Some of these issues include:

  • Security vulnerabilities — Spreadsheets have rudimentary security mechanisms that are easily bypassed.
  • Fragile data protection — Anyone who can edit a spreadsheet can easily corrupt the data. All it takes is a simple copy/paste error or entering data in the wrong cell. Unspotted spreadsheet errors aren’t just common, they’re the norm.
  • Poor usability — People dread using spreadsheets, especially when you’re dealing with something as complex as compliance management. For many, it’s a continuously escalating level of pain they’ve become used to.
  • Collaboration issues — If you’re allowing multiple people to contribute to a spreadsheet, you have all kinds of version control problems. You’re also asking for trouble if you allow more than one person to edit a spreadsheet simultaneously.
  • Project management woes — Spreadsheets weren’t designed to manage projects. Simply checking the status of your compliance engagement requires hours of effort. Keep in mind that personnel are wasting that time at least weekly for the regular status meetings.

If you’re using spreadsheets to manage compliance, you’re either doing it because you don’t realize there’s another option, or you’re a glutton for punishment. Actually, there are a couple options, starting with using your Assessor’s system.

Related: The Danger of Using Compliance Tracking Spreadsheets

Assessor’s Compliance Tool

Many Assessment firms use their own proprietary system for managing their clients’ PCI-DSS compliance engagements. As the organization that is going through compliance, you don’t have to purchase any software, and it’s a lot simpler to use than your clunky spreadsheets. Comparatively, it appears there’s a lot of upside to using their compliance management system.

However, you should be aware of the compromises you’re making. When you use your Assessor’s proprietary compliance tool, you lose having your own organized repository for your compliance data. The firm controls the data that you provide them, and you can only gain access by logging into their systems or making a request for an extract of the data. 

Within your own systems, you still have evidence that’s disorganized and splayed all over network drives, file sharing drop zones, emails, etc. This means that every year, internally you’re starting from a disorganized mess, yet loading the information into the organization of your Assessor’s systems. It just doesn’t make sense to do things that way.

Remember, it’s YOUR information — you own it — and yet you can only access it if you stay with that Assessment firm. When you switch firms, you leave your data behind. Sure, you can request an export file, but it will be unreadable by other Assessors’ systems, since it’s exported in that Assessor’s proprietary export format which will not match the import needs of your next Assessor.

While an Assessor’s compliance management tool is certainly a better choice than using spreadsheets, it has its limitations. But there’s still one more option available to your business.

Featured eBook

Straight Talk on Getting Your Sh*t Together for PCI DSS

This kick-a$$ ebook helps streamline your compliance the right way.

Get the Ebook

TCT Portal Compliance Management Software

For corporate organizations with franchise locations, TCT Portal is an ideal compliance management solution. You don’t have the convoluted issues that spreadsheets present, and you stay in control of all of your data.

TCT Portal provides automation and streamlining capabilities that spreadsheets and Assessors’ systems can’t offer. Let’s take a quick look at some of the ways TCT Portal makes your life easier for managing compliance. 

Make PCI-DSS Understandable

Your franchisees aren’t technical, but they need to send technical information from their stores to corporate headquarters. That means they’re continually asking for clarifications or sending the wrong data to you, which needs to be rejected and resent. It’s a quick way to slow down your progress and put your compliance engagement far behind schedule — especially when you’re dealing with dozens or hundreds of franchise locations.

TCT Portal lets you provide plain-English explanations of precisely what is needed from them. Make it easy for everyone involved in compliance evidence collection to understand exactly what’s required. You have the ability to associate guidance and examples for franchisees so that it’s clear exactly what you need and how they can find it. 

Customized Certifications

There are over 500 different items in a PCI-DSS engagement, but your franchisees only need to deal with a handful of them. It can be overwhelming to wade through the hundreds of requirements they’ll never need to touch — and confusing for them to interpret the information needed directly from the PCI requirements themselves. 

TCT Portal lets you create a customized data collection list that includes only the items assigned to your franchisees, written in a manner they’ll understand with your custom guidance and examples included. This list can be easily mapped back to your corporate PCI-DSS engagement behind the scenes, so that submitted evidence from franchisees is automatically populated in your destination PCI track, right where it needs to be. 

Status at a Glance

Allocate assignments to specific individuals, and immediately see the status of all aspects of your PCI engagement. With just a glance, you can know which stores are behind schedule, which individuals have completed or haven’t completed their assignments, what state every single line item is in. 

Customized Workflows

On your Franchise tracks, you can configure the workflow of that engagement in a manner that works for your business. If you’d like the evidence to flow through an internal QA department prior to moving through your Compliance Consultant, no problem. TCT Portal can be configured to mirror the workflow requirements of your organization. 

On your corporate PCI track, you can similarly establish a customized workflow to suit your needs — including your internal audit team QA — passing through a Compliance Consultant (if you have one) and even the ability to pass items to your Assessor and on to their QA department. Often we’ll provide guidance to organizations that they can have their Assessors review items within the TCT Portal rather than forcing the organization to leverage the Assessor proprietary systems. In fact, TCT has several dozen Assessment firms on the platform today, so if you need a recommendation for a firm already leveraging the TCT Portal, we would be happy to make an introduction to a suitable firm for your needs.

Historical Tracking

Because turnover is high among most franchise stores, there’s spotty consistency from year to year in terms of who has done what for PCI tasks. Often, the assigned individual is collecting evidence for the first time and they don’t know how it was done last year. 

TCT Portal gives you ready access to the files and activities that were completed last year. You can see who did what, what evidence passed review, and a clear understanding of where it’s located. Everything a new person needs to know is right there at their fingertips. 

Which means you don’t have dozens or hundreds of new people tripping through the workflow and making the same mistakes their predecessors made the prior year. It’s also enormously more efficient and less interruptive for the compliance managers at the corporate level.


Best yet, we’ve priced TCT Portal so affordably that we’ve made it a no-brainer decision. Our customers are saving tens of thousands of dollars per year and streamlining their compliance efforts by as much as 65 percent. 

[ROI calculator for applicants]

Make PCI Compliance Manageable

When you’re operating with TCT Portal, you have a single tool to configure your PCI-DSS engagement as needed. You can automate the collection of evidence and spend less time on interruptions and hand-holding. Workflows are streamlined and the full breadth of your entire engagement becomes manageable. 

Only TCT Portal gives you the flexibility, robustness, and control that you need to manage PCI compliance. Discover what kind of difference TCT Portal can make for your organization — request a personalized demo today.

TCT Portal

Get your
personalized demo

See what TCT Portal can do for your organization

Show Me

You may also like