1
00:00:00,000 --> 00:00:03,840
Data is the new golden business.
2
00:00:03,840 --> 00:00:09,360
In fact, it's been said that a business's data is worth more than gold.
3
00:00:09,360 --> 00:00:15,120
Now, we're here today to explore and unpack the challenges that arise with technology
4
00:00:15,120 --> 00:00:21,600
and try and deliver the omnichannel experience in retail while at the same time protecting your gold.
5
00:00:25,840 --> 00:00:31,360
I'm your host Scott Kreisberg and in this episode Kevin McAdden is going to be joining us
6
00:00:31,360 --> 00:00:36,400
to close out our retail series on the broken promises of the omni.
7
00:00:36,400 --> 00:00:41,360
Roman Satin is joining us as well as our resident PCI expert.
8
00:00:41,360 --> 00:00:46,240
And he's going to help clarify any questions we have about both technology and compliance.
9
00:00:46,240 --> 00:00:50,960
Now, if you haven't listened to episodes six and seven,
10
00:00:50,960 --> 00:00:54,160
you're going to be missing out on a lot of valuable information.
11
00:00:54,160 --> 00:00:58,160
So I really recommend that you go back and you check them out.
12
00:00:58,160 --> 00:01:01,600
And if you go to our website at onestepsecureit.com,
13
00:01:01,600 --> 00:01:05,600
they'll be there for you to listen to and enjoy.
14
00:01:05,600 --> 00:01:12,240
Now, before we dive in, Roman, I'm going to let you take the honors of telling our viewers
15
00:01:12,240 --> 00:01:13,280
what our disclaimer is.
16
00:01:13,280 --> 00:01:19,120
All right, well, speaking of gold, I just want you to know that the purpose of this golden podcast
17
00:01:19,120 --> 00:01:24,000
is to provide news and information on cybersecurity and technology law and regulations.
18
00:01:24,480 --> 00:01:30,320
And all data provided on this site is for informational purposes and should not be considered
19
00:01:30,320 --> 00:01:32,560
legal advice or legal tender.
20
00:01:32,560 --> 00:01:35,440
Wow, you almost sound like an attorney.
21
00:01:35,440 --> 00:01:36,960
That's great.
22
00:01:36,960 --> 00:01:37,920
Thank you, Roman.
23
00:01:37,920 --> 00:01:43,680
All right, today's episode of the focus is, is the risk risk worth the reward?
24
00:01:43,680 --> 00:01:50,000
So let's dive right into it and let's see if data is the new goal for businesses and why.
25
00:01:50,640 --> 00:01:57,120
Now, I'd like to start this episode off with what's the actual promise of Omni?
26
00:01:57,120 --> 00:02:02,400
And you know, our store is still important with this whole Omni thing.
27
00:02:02,400 --> 00:02:04,480
Kevin, I'm going to toss that over to you, buddy.
28
00:02:04,480 --> 00:02:06,720
Thanks, Scott.
29
00:02:06,720 --> 00:02:07,760
And thanks for having me again.
30
00:02:07,760 --> 00:02:13,360
Yes, I think stores are extremely important to Omni.
31
00:02:13,360 --> 00:02:19,440
I actually just spoke to a group of cutting-edge merchants about a month ago on the topic.
32
00:02:20,320 --> 00:02:25,520
And there's some recent information, even since the last time we spoke on this topic that came out
33
00:02:25,520 --> 00:02:32,000
that predicted, this is Forester actually predicted that offline retail sales, meaning those not online.
34
00:02:32,000 --> 00:02:36,640
They're going to surpass 4 trillion by 2028.
35
00:02:36,640 --> 00:02:42,720
And that US offline sales will make up 72% of the retail market.
36
00:02:42,720 --> 00:02:47,360
So I think if anything that might reinforce what we've been talking about,
37
00:02:47,360 --> 00:02:53,040
that this last push into digital over the last several years while amazing and very innovative,
38
00:02:53,040 --> 00:02:57,840
also is leading back to a renaissance in the stores.
39
00:02:57,840 --> 00:03:00,800
And so I think Omni channels definitely worth it.
40
00:03:00,800 --> 00:03:04,960
This article happened to go on to talk about some of the challenges that these brands meet.
41
00:03:04,960 --> 00:03:07,600
And I know you'll probably ask a little bit more about that too.
42
00:03:07,600 --> 00:03:13,120
But to answer your question directly, I think clearly stores are big and Omni channel is big
43
00:03:13,120 --> 00:03:16,720
being able to serve online and offline customers.
44
00:03:16,720 --> 00:03:21,520
Awesome. Yeah, is that maybe chance you haven't got a best-of-growing number or is it less shrinking?
45
00:03:21,520 --> 00:03:24,480
71% is growing.
46
00:03:24,480 --> 00:03:27,680
Definitely, heavily growing.
47
00:03:27,680 --> 00:03:30,720
Yeah, especially after the last two, three years of COVID.
48
00:03:30,720 --> 00:03:34,880
But even before that, definitely growing over pre-COVID levels too.
49
00:03:34,880 --> 00:03:37,200
That's great. That's interesting. It's really interesting.
50
00:03:37,200 --> 00:03:42,480
It's great. I could say the shopping centers in my area, I mean I can't get a parking spot.
51
00:03:42,480 --> 00:03:44,960
So people are out shopping.
52
00:03:44,960 --> 00:03:46,400
All the way seasoned. So yeah.
53
00:03:46,400 --> 00:03:50,640
Well, the other interesting thing, this article talked about with regards to the physical stores is that
54
00:03:50,640 --> 00:03:56,960
what you're talking about there. But even Walmart CEO had been on record recently saying that his stores
55
00:03:56,960 --> 00:04:00,320
are key nodes in their Omni channel business.
56
00:04:00,320 --> 00:04:03,280
Meaning like, I mean, that's Walmart. So it's a different kind of retailer.
57
00:04:03,280 --> 00:04:08,640
But still, they've got distribution all over the country, all over the world.
58
00:04:08,640 --> 00:04:09,440
Absolutely.
59
00:04:09,440 --> 00:04:10,320
All right, cool.
60
00:04:10,320 --> 00:04:17,600
In a couple of the earlier episodes, you had mentioned that there are technical,
61
00:04:17,600 --> 00:04:24,400
operational, I believe you said security components to this Omni channel experience.
62
00:04:24,400 --> 00:04:26,080
Let's see if we can't break that down.
63
00:04:26,080 --> 00:04:33,040
What's the technical components, Roman, you're our resident compliance and technology person
64
00:04:33,040 --> 00:04:34,400
on this one? Why don't we start with you?
65
00:04:34,400 --> 00:04:36,160
Sure, sure, not a problem.
66
00:04:37,200 --> 00:04:43,520
Well, the biggest technical component I can tell you for all walks of retailers,
67
00:04:43,520 --> 00:04:47,520
retailers, Omni channel, everything is customer data, right?
68
00:04:47,520 --> 00:04:53,120
That is what all of the compliance, all the regulations and frameworks are looking to protect,
69
00:04:53,120 --> 00:04:58,160
which means all of these stores now have to take into consideration.
70
00:04:58,160 --> 00:05:00,720
Where do they store that data?
71
00:05:00,720 --> 00:05:03,680
You know, once upon a time, it was just in your point of sale system.
72
00:05:04,400 --> 00:05:08,960
And then, you know, if you had an retailer, it was just in the cloud somewhere, that
73
00:05:08,960 --> 00:05:10,880
nebulous word in the cloud we used.
74
00:05:10,880 --> 00:05:15,600
When you start marrying those together, you really start looking at a challenge.
75
00:05:15,600 --> 00:05:20,480
And I think Kevin's spoken about this before, if where, how do you cross that data?
76
00:05:20,480 --> 00:05:25,920
If I bought in your store, does that mean I can buy online with the same data and vice versa?
77
00:05:25,920 --> 00:05:32,800
So the technology aspect of it really is trying to find out, do you have an on-site database?
78
00:05:33,360 --> 00:05:35,040
Do you put that into the cloud?
79
00:05:35,040 --> 00:05:40,320
And not only do you have that type of hardware or software solution, you also look to,
80
00:05:40,320 --> 00:05:41,600
how can I secure that?
81
00:05:41,600 --> 00:05:45,600
So again, security methodologies now start putting into that, which
82
00:05:45,600 --> 00:05:47,920
in themselves is its own technology.
83
00:05:47,920 --> 00:05:52,320
So it's a fascinating thing that they have to do with our data.
84
00:05:52,320 --> 00:05:52,560
Yeah.
85
00:05:52,560 --> 00:05:55,840
So, yeah, there's a lot to think about there.
86
00:05:55,840 --> 00:06:03,280
And, um, probably should seek out some professional advice when, when thinking about this,
87
00:06:03,280 --> 00:06:06,080
um, yeah, so Kevin, do you have anything you want to add to that?
88
00:06:06,080 --> 00:06:07,840
Yeah, absolutely.
89
00:06:07,840 --> 00:06:13,520
Because I think that, you know, we talked about some of the technical and the operational
90
00:06:13,520 --> 00:06:19,760
challenges before and happy to dive into those again, but I think from a data perspective,
91
00:06:19,760 --> 00:06:21,600
data is the core of OmniChannel.
92
00:06:21,600 --> 00:06:25,120
And criminals are definitely taking advantage of it.
93
00:06:25,120 --> 00:06:31,040
Retailers have had a huge amount of cybercrime, small meeting business in general has,
94
00:06:31,040 --> 00:06:37,040
but retailers in particular, and I was reading a study recently about like where they were getting,
95
00:06:37,040 --> 00:06:41,520
and it was the, the majority was from exploited vulnerabilities, meaning some known
96
00:06:41,520 --> 00:06:43,280
vulnerability and some software.
97
00:06:43,280 --> 00:06:51,280
And retail was significantly higher, uh, risk of those attacks than kind of a cross-sector
98
00:06:51,280 --> 00:06:54,080
section of the rest of the average of businesses there.
99
00:06:54,080 --> 00:07:00,720
And when I dug a little deeper into it, 71% of the time in an attack that kind of outcome of
100
00:07:00,720 --> 00:07:06,320
the attack was that the data was encrypted because there's all this data, like Roman said,
101
00:07:06,320 --> 00:07:10,960
there's all this data, customer data, in particular, which there are so many states and,
102
00:07:10,960 --> 00:07:17,600
and not to mention federal and, you know, just best practices of not breaching customer data.
103
00:07:17,600 --> 00:07:22,240
I think something like over 80% of customers said they'd stop doing business with a brand
104
00:07:22,240 --> 00:07:23,520
that breached their data.
105
00:07:23,520 --> 00:07:25,600
So the criminals are getting it.
106
00:07:25,600 --> 00:07:28,640
They're like exploitive vulnerabilities, get their data,
107
00:07:29,360 --> 00:07:33,600
customers ain't having it. So yeah, that's a, it's a huge risk to it on top of the
108
00:07:33,600 --> 00:07:36,160
technological and, um, and operational.
109
00:07:36,160 --> 00:07:39,040
So there's this benefit, absolutely that we just talked about,
110
00:07:39,040 --> 00:07:44,800
but there's also a, a, a risk that has to be adjudicated as you go into the omnichannel world.
111
00:07:44,800 --> 00:07:48,320
Interesting. All right. Yeah, you just mentioned, um, operational components,
112
00:07:48,320 --> 00:07:51,680
they're in any particular, you want to discuss there?
113
00:07:51,680 --> 00:07:57,040
Yeah, I think, you know, a lot of times people just think this is a systems issue or, or just
114
00:07:57,040 --> 00:08:02,240
don't think about it at all, but, um, that, uh, they just like, oh, turn that button on the website,
115
00:08:02,240 --> 00:08:08,400
right? I mean, that happens more than more than we would all like to know, but like, um,
116
00:08:08,400 --> 00:08:15,120
you know, by nature, different aspects of a retailer's business are siloed, not just technologically
117
00:08:15,120 --> 00:08:21,360
siloed, although they are, but even operational, they're siloed. The way, um, online merchants,
118
00:08:21,360 --> 00:08:28,480
digital merchants think about retail is different than those that work in stores, um, or those
119
00:08:28,480 --> 00:08:32,720
that work in the warehouse, they just think about things differently, though, they're not the same team,
120
00:08:32,720 --> 00:08:39,040
they're different teams. Operationally, they are by nature, they're siloed. And so you'll have like,
121
00:08:39,040 --> 00:08:44,480
systems show this up and we talked about this before that you'll have certain technologies that
122
00:08:44,480 --> 00:08:49,200
evolved as an online technology, and then they go and they say, oh, yeah, you can open up a
123
00:08:49,200 --> 00:08:54,240
store with POS, but then they don't think of inventory as a thing that exists in
124
00:08:54,240 --> 00:08:58,880
spasically different places. And how do you get the order to those places? Because,
125
00:08:58,880 --> 00:09:03,600
to an online merchant, inventory is inventory. I got a hundred of them. I'm going to sell them,
126
00:09:03,600 --> 00:09:09,120
but if those hundred are split out amongst 16 stores, well, how you gonna fulfill them is very
127
00:09:09,120 --> 00:09:14,240
different. So I think that's high level, but it speaks to the kind of the technological challenges,
128
00:09:14,240 --> 00:09:20,080
but also the operational challenges. It takes a cohesive kind of melding of the teams to make sure
129
00:09:20,080 --> 00:09:24,080
that even the teams themselves are thinking about these things differently and what decisions they
130
00:09:24,080 --> 00:09:31,600
make have ramifications downstream or upstream throughout the organization. Yeah, um, yeah, yeah.
131
00:09:31,600 --> 00:09:37,040
I'd like to jump in for a second because it's, uh, it's interesting Kevin that used the silo. I was
132
00:09:37,040 --> 00:09:42,720
recently at a cybersecurity summit in Scottsdale, and we were talking about just that to where
133
00:09:43,360 --> 00:09:48,720
you have, um, and people do an inventory and receiving. You have salespeople, you have, uh,
134
00:09:48,720 --> 00:09:54,320
middlemanage. We have all these different silos that are doing their jobs, right? So they're doing
135
00:09:54,320 --> 00:09:59,280
their job. Yeah. And then as an upper management looks at it and says, great, everything's doing their
136
00:09:59,280 --> 00:10:07,200
job, but they don't see the gaps in between the silos. So it starts putting together a, um,
137
00:10:07,200 --> 00:10:12,800
a point of view that you need from somebody coming outside to look at your organization,
138
00:10:12,800 --> 00:10:18,960
to make sure that you are doing that crosswalking of silos to where those gaps aren't getting wider,
139
00:10:18,960 --> 00:10:24,560
even though they're doing their jobs. There might be some sort of security there or something that needs
140
00:10:24,560 --> 00:10:31,040
to happen in between there to make that customer data a little safer, um, to educate the staff.
141
00:10:31,040 --> 00:10:36,160
And that speaks to a lot of, uh, culture of, uh, of the company, which usually comes from the top
142
00:10:36,160 --> 00:10:42,880
down. It does. It has to come back to talk down culture and testing. Test, test, test, test,
143
00:10:42,880 --> 00:10:52,480
test these things. Absolutely. And back up, back up, back up, back up. Uh, well, this episode is,
144
00:10:52,480 --> 00:10:59,760
you know, very, uh, centered around the cost, uh, and the benefit of this technology, um,
145
00:11:00,480 --> 00:11:07,760
with regards to what risks you guys have been, uh, talking about. And so, um, what would you say,
146
00:11:07,760 --> 00:11:17,520
the cost, uh, benefit against the risk, uh, for opting to do, uh, OmniChannel is one, uh,
147
00:11:17,520 --> 00:11:22,240
considerate these options. I think the, God, you, you first on this one,
148
00:11:22,240 --> 00:11:30,320
run, go ahead. Okay. Yeah. Cause I honestly, I think the, the cost benefit is totally outweigh, um,
149
00:11:30,320 --> 00:11:36,080
having on the, on the, on the cost side versus what you're risking. I mean, um, with certain compliance,
150
00:11:36,080 --> 00:11:42,960
I've seen people, uh, companies that are obviously getting sued. I've seen, uh, owners take personal
151
00:11:42,960 --> 00:11:47,760
liability because they didn't follow certain frameworks. We see this in the news every day.
152
00:11:47,760 --> 00:11:54,160
So having your cost of, say, storage space in the cloud or whether it's on premises, um, cost of
153
00:11:54,160 --> 00:11:59,680
security, getting somebody that knows what the frameworks are. They know how to implement solutions
154
00:11:59,680 --> 00:12:07,520
and they can work with the team of technology people, engineers to secure you is far gonna outweigh,
155
00:12:07,520 --> 00:12:13,120
the, you know, um, then getting breached, getting your name in public. Because it's hard to come
156
00:12:13,120 --> 00:12:18,800
back from that. I mean, Kevin already, uh, told us and, you know, that people will stop shopping with you
157
00:12:18,800 --> 00:12:24,240
if there's a breach and their information's out there. So realistically, just get, get a partner
158
00:12:24,240 --> 00:12:29,360
that can help you define what you need that's right for your organization. And I think the costs
159
00:12:29,360 --> 00:12:34,800
are pennies on the dollar. So you're saying, do it right, but it's well worth it. Absolutely.
160
00:12:34,800 --> 00:12:40,160
All right. Cool. I was going to say something similar. Scott. Yeah. I mean, I would say the, the,
161
00:12:40,160 --> 00:12:46,160
the benefits are clear. Um, the, the brands that are doing it right are excelling. They, they really
162
00:12:46,160 --> 00:12:52,400
are. They are, they are excelling. The market is growing like crazy. Um, and it's, it's honestly,
163
00:12:52,400 --> 00:12:57,280
it's a very achievable thing, but it does, to your point and to Romans point, it takes a thoughtful
164
00:12:57,280 --> 00:13:03,200
approach and it takes, um, you know, uh, uh, a company wide, like a cultural thing, or you're, we're
165
00:13:03,200 --> 00:13:10,000
going to be omnichannel. And, um, a sloppy approach can definitely lead, lead, lead to trouble. Um,
166
00:13:10,000 --> 00:13:14,320
that, that article, the, the, the forced reminds me about talked about brands that were online that
167
00:13:14,320 --> 00:13:20,560
moved into retail, but, but didn't like fill those gaps to, to your point, Roman, and they struggled.
168
00:13:20,560 --> 00:13:23,840
And, and there is definitely some bankruptcies that have gone through out there. And I think we
169
00:13:23,840 --> 00:13:28,560
talked about a, uh, retail that I worked with personally that I saw that just kept throwing people
170
00:13:28,560 --> 00:13:33,040
at the problem instead of fixing the technology. And at some point, that's a lot more expensive
171
00:13:33,040 --> 00:13:38,720
than fixing the technology. So are there risks? Yes. And are there challenges? Yes. But they're
172
00:13:38,720 --> 00:13:43,520
overcomeable with the right expertise and, and man, those brands that are, that are growing,
173
00:13:43,520 --> 00:13:49,040
you're seeing multiples and multiples of growth, uh, as a result. Correct. All right. So risk
174
00:13:49,040 --> 00:13:55,120
and reward. So risk is there, but, but then it's, it's done properly. Then that risk is down here,
175
00:13:55,120 --> 00:14:03,760
and the reward is, is, is much higher. Um, let me ask you guys a question. Um, there are, uh,
176
00:14:03,760 --> 00:14:08,560
you know, security risks with any technology. And, um, what, what, what, what, what are some of the
177
00:14:08,560 --> 00:14:14,000
security risks that people are facing today retailers are having to deal with today? And, um,
178
00:14:14,000 --> 00:14:19,120
how are they evolving? You know, are they, are they getting, you know, more challenging for them?
179
00:14:19,120 --> 00:14:22,800
Are they be getting, are they getting easier for them to handle? Like tell us a little bit about
180
00:14:22,800 --> 00:14:30,000
that. Kevin, you had the mic, so why don't you tell us? Sure. I think, um, the specific challenge that
181
00:14:30,000 --> 00:14:36,240
I think a lot of, um, a lot of the small, medium businesses in general are facing and a lot of
182
00:14:36,240 --> 00:14:43,680
retailers in particular are the complexity of, of, of technology that doesn't seem complex yet.
183
00:14:43,680 --> 00:14:48,960
It really is. Um, online is a great example, like to actually run an effectively commerce site.
184
00:14:48,960 --> 00:14:54,800
It's not just one piece of software. It's dozens of pieces of software that are all working together.
185
00:14:54,800 --> 00:15:00,160
Like, um, we go online and we turn this app, I, I, I joked about earlier, check this box, check that box.
186
00:15:00,160 --> 00:15:04,720
It really is that easy on an online site to go, oh, plug this partner in, plug that partner in,
187
00:15:04,720 --> 00:15:11,680
and they literally have dozens of third-party apps that make the experience for us as a consumer
188
00:15:11,680 --> 00:15:17,680
what it is. But the challenge with that is that the, the, the, the bad actors, the hackers, the
189
00:15:17,680 --> 00:15:23,120
criminals, they're now starting to realize that each one of those represents potential vulnerabilities
190
00:15:23,120 --> 00:15:28,480
to exploit. And so it's not just, oh, I got to attack their website. It's, no, it is like two
191
00:15:28,480 --> 00:15:33,200
dozen ways in. I just got to figure out the one. And I think to that point, that's why some of
192
00:15:33,200 --> 00:15:39,680
the regulations are changing, like PCI V4 is saying, okay, those apps that you use on your website,
193
00:15:39,680 --> 00:15:44,720
that your client shop on their computers with, it's now your responsibility to make sure that
194
00:15:44,720 --> 00:15:49,920
they're cataloged, they're updated, you keep it in secure, you're patching when you're supposed to patch.
195
00:15:49,920 --> 00:15:54,160
And this, you could directly correlate this to the statistics we talked about earlier. 41% of the
196
00:15:54,160 --> 00:15:58,960
breaches at retail experience are because of an exploitable ability. Why? Because there's dozens of
197
00:15:58,960 --> 00:16:03,680
potential vulnerabilities on systems out there. So I think that's where the regulation is going,
198
00:16:03,680 --> 00:16:08,720
and that's why it's going there is because of that vulnerability. I, I see it, I see it a lot,
199
00:16:08,720 --> 00:16:13,520
um, that's got mentioned. I do a lot of the compliance, uh, here for one step. And,
200
00:16:14,480 --> 00:16:20,080
time and time again, it, it, it's small little things that Kevin said that, that don't seem complex,
201
00:16:20,080 --> 00:16:25,920
that that will get you, uh, for example, the spear fishing and really just fishing in general. It's
202
00:16:25,920 --> 00:16:31,440
what's going to take most people down, because it only takes one email, click, and then, you know,
203
00:16:31,440 --> 00:16:35,200
your system's compromised. Now, hopefully you've had a security professional in there. You've
204
00:16:35,200 --> 00:16:40,080
had somebody look at your technology and see what you need. But as we see time and time again,
205
00:16:40,080 --> 00:16:46,480
it is just those little bits that we take for granted. I'm leaving out of town. I don't have time to
206
00:16:46,480 --> 00:16:51,840
look at this. I'm going to click there and then that's going to get you. Kevin earlier mentioned the
207
00:16:51,840 --> 00:16:57,040
millions of dollars that are going to flow through retail. Um, but one of the things he, he may not know,
208
00:16:57,040 --> 00:17:04,720
because I look at more criminal stats is, um, business email compromise is a billion dollar industry.
209
00:17:05,280 --> 00:17:11,680
And that should be scary. That should be scary to people because, um, it, it's real. Now, how do we do
210
00:17:11,680 --> 00:17:17,440
that with the PCI as Kevin mentioned, the frameworks are changing with PCI for, um, they're kind of
211
00:17:17,440 --> 00:17:23,200
spreading the risk liability from credit cards to retailers and vendors, but it's nice because now
212
00:17:23,200 --> 00:17:28,800
there's a vendor management program set up to where, as Kevin mentioned, all 12 of those plugins,
213
00:17:29,440 --> 00:17:35,520
you can reach out to them and have them give you their security certificates. Um, you do have to do
214
00:17:35,520 --> 00:17:40,960
ongoing security training for your staff that once, you know, yes, those were in there, but they're not
215
00:17:40,960 --> 00:17:45,840
being, uh, enforced. Now we're going to see a lot more enforcement of some of these things that are
216
00:17:45,840 --> 00:17:49,840
going to make everybody safer at the end of it. I think we're all going to be better for it.
217
00:17:49,840 --> 00:17:56,480
I think, um, the prevailing attitude is that if I, if I get a technology that someone else is,
218
00:17:56,480 --> 00:18:01,520
is doing the security, that's been the prevailing attitude that I've seen with retail in particular,
219
00:18:01,520 --> 00:18:05,680
is that, oh, that's somebody else's thing. I'm, I'm just going to assume that they're, they're doing it.
220
00:18:05,680 --> 00:18:12,720
Right. And, um, you know, I learned from you, Scott, uh, that we need to trust, but verify that
221
00:18:12,720 --> 00:18:18,560
people are taking security measures because at the end of the day, if a breach occurs, we can blame
222
00:18:18,560 --> 00:18:23,360
anybody we want, but, but if it's our business and our customer data, then we're the one that's left
223
00:18:23,360 --> 00:18:28,560
told me. So I really think that approach is just so important to, to take.
224
00:18:28,560 --> 00:18:34,880
So the ostrich with the head in the sand isn't going to go, you know, yeah, we're just looking
225
00:18:34,880 --> 00:18:42,000
over our shoulders. Somebody's doing that, right? That's, yeah. All right. So I think we're getting
226
00:18:42,000 --> 00:18:47,920
pretty far in this episode, but, you know, PCI is, you know, it's been around for, but well over a decade
227
00:18:47,920 --> 00:18:53,440
now, I think we're up diversion for, um, you know, this one's going to be for real, right?
228
00:18:53,440 --> 00:19:02,160
I know the stakes are getting bigger and retailers are starting to wake up to this whole concept,
229
00:19:02,160 --> 00:19:08,000
a bit more than what you're talking about, Kevin, where, well, it's, the software I'm using is
230
00:19:08,000 --> 00:19:13,520
supposed to be a PCI compliance with somebody else's problem. Thank you for lining more. So, you know,
231
00:19:13,520 --> 00:19:18,960
rum, what, what do you have to tell us about like the security that we need to worry about or consider
232
00:19:18,960 --> 00:19:25,920
with regards to this current version of PCI? Um, you know, I think I've mentioned this once before,
233
00:19:25,920 --> 00:19:32,560
but plan your work and work your plan. I mean, it's, it's on the business at it and we're done.
234
00:19:32,560 --> 00:19:40,880
No, but it does ring true because on these new requirements, you do have training that you have to
235
00:19:40,880 --> 00:19:45,840
do annually and it has to be acknowledged. So it's not something that you just can pencil with,
236
00:19:45,840 --> 00:19:49,680
you know, and say, yeah, we've done it and you literally need people to acknowledge that they've
237
00:19:49,680 --> 00:19:56,960
done training before. Um, and that goes far reaching into the system. You do have, uh, backup,
238
00:19:56,960 --> 00:20:03,760
continuity and disaster, you have risk assessments, you have, um, incident response plans, all of these
239
00:20:03,760 --> 00:20:13,120
now have to be done and, uh, on paper written down. Shocker. Oh, I know it's, it's actually,
240
00:20:13,120 --> 00:20:20,000
that is probably one of the biggest pieces of the puzzle for businesses. Um, everybody has an idea
241
00:20:20,000 --> 00:20:25,440
of what they're, what they're going to do if X happens. We'll do Y. That's fine. Um, but it's not
242
00:20:25,440 --> 00:20:31,760
written down. So that means if the person that's responsible for it is on vacation in Aruba and you
243
00:20:31,760 --> 00:20:38,400
just can't reach them, nobody will know what to do. So write it down, make a plan and practice. And
244
00:20:38,400 --> 00:20:43,040
that's what I mean by work your plan. Practice. Just see what happens if, you know, somebody calls up and
245
00:20:43,040 --> 00:20:50,080
says, Hey, it's got the servers. You're down. What do we do? Right? And you have a, you have a plan that
246
00:20:50,080 --> 00:20:55,600
you've already put into place. You know where to find it. That's a big key. And you basically go step
247
00:20:55,600 --> 00:21:00,640
one, two, three, four and practice. So I would say that that's one of the biggest things that this
248
00:21:00,640 --> 00:21:05,920
PCI is really pushing forward that. And then as a center of the vendor management. So that you can't,
249
00:21:05,920 --> 00:21:10,960
you know, that we can't blame somebody else. You have to have something that says, no, I've talked
250
00:21:10,960 --> 00:21:15,360
in them. They said that they were secure. They gave me the certificate. And now your liability is,
251
00:21:15,360 --> 00:21:20,320
you know, transferred. And that's that's kind of what you do with the risk, right? Transfer it.
252
00:21:20,320 --> 00:21:26,000
Roman, I was reading something about PCI. I wanted to ask you about since you're the, the expert on it,
253
00:21:26,000 --> 00:21:30,720
the, you know, the prevailing thought amongst brick and mortar retailers was always, oh, well, my credit
254
00:21:30,720 --> 00:21:35,680
car company's doing that. And as long as they say they're, they're PCI on PCI. And I think online
255
00:21:35,680 --> 00:21:42,480
merchants is the same thing. Oh, well, I, I work with whoever, whatever payment portal I work with.
256
00:21:42,480 --> 00:21:48,080
But I was reading and maybe you can confirm this that that one of the things is changing now is that
257
00:21:48,080 --> 00:21:53,440
when the payment card provider says they're secure, all they're saying is that they're devices secure.
258
00:21:53,440 --> 00:21:57,760
They're no longer saying that the retailer is, oh, yeah, you're, your PCI compliant. They're just
259
00:21:57,760 --> 00:22:02,480
saying, I don't know, we are not necessarily your organization is as a retailer. Is that right?
260
00:22:02,480 --> 00:22:09,520
You, you have that absolutely correct. And I, you know, I can change, right? That's a,
261
00:22:09,520 --> 00:22:15,440
that's a change of this new one, isn't it? Yes, and no, depending on what, so there's multiple
262
00:22:15,440 --> 00:22:21,280
avenues in which you can take payment as we all know. I've got a credit card device. I write it down.
263
00:22:21,280 --> 00:22:26,560
I take it over the phone, right, in person. So there's all these different methodologies and
264
00:22:26,560 --> 00:22:31,920
the credit card companies understand that so that they make different rules for different
265
00:22:31,920 --> 00:22:41,840
ways of ending, right? But to your point of when the processor is doing their assessment of your system,
266
00:22:41,840 --> 00:22:48,640
they're looking at it from outside in and they're only saying as you said, my device is PCI compliant.
267
00:22:49,280 --> 00:22:54,800
Because PCI compliant goes to segment of networks. If you've ever made a purchase over the phone and
268
00:22:54,800 --> 00:23:01,120
you heard, we are recording this call for quality assurance. Well, now if you have to give them your
269
00:23:01,120 --> 00:23:08,720
credit card number to buy something, their phone system is actually in scope for PCI. Have they
270
00:23:08,720 --> 00:23:15,280
secured it? Have they secured that recording? We don't know, right? So it's a broader conversation
271
00:23:15,280 --> 00:23:20,160
where once people thought, oh yeah, I just, you know, take a card. It's fine. Well, have you written it down?
272
00:23:20,160 --> 00:23:29,120
Do you destroy that stuff afterwards? And so it's a pretty unique scenario that the credit card
273
00:23:29,120 --> 00:23:35,680
industry PCI industry has pushed back onto us because we start looking at things a little bit
274
00:23:35,680 --> 00:23:41,280
outside of the box and what we use to. So, right. Again, get a professional to help you look at it.
275
00:23:41,280 --> 00:23:47,040
I laugh because earlier, I mean, literally today I've talked to three people specifically about this
276
00:23:47,040 --> 00:23:51,280
when their processor said that they were self-assessed questionnaire,
277
00:23:51,280 --> 00:23:57,760
SAQ is acronym X. And I started asking them questions and I said, you are outside of that scope right
278
00:23:57,760 --> 00:24:05,760
now just by that question. And they're like, really? Like, yeah, they didn't know. It's their ownership
279
00:24:05,760 --> 00:24:11,600
to know, but it's not their job to know. All right, guys. Hey, Robin and Kevin, thank you so much for
280
00:24:11,600 --> 00:24:17,680
your time today. This is extremely interesting. I hope you guys all found this episode interesting and
281
00:24:17,680 --> 00:24:26,560
valuable. So we discussed just how valuable your company's data is in today's world. We discussed
282
00:24:26,560 --> 00:24:34,480
the challenges of securing it and all that goes with that. So your data is worth more than gold.
283
00:24:35,200 --> 00:24:42,800
And the risk versus the reward of going omnivare is there. So just get the professional help,
284
00:24:42,800 --> 00:24:48,080
know what you need to do and do it properly and then take advantage of what the
285
00:24:48,080 --> 00:24:55,520
those retailers that are doing this now are getting. So I know how much effort it takes to build
286
00:24:55,520 --> 00:25:02,400
valuable data and I hope you guys got some ideas on how to protect it today. So remember,
287
00:25:03,440 --> 00:25:08,720
we stand ready to help you. Just give us a call and let us know if you need any help until next time.
288
00:25:08,720 --> 00:25:12,560
Have a great week and remember to stay safe.