The Trillion-Dollar Credit Card Industry is Moving Costs of Charges and Fraud Down to Your Business

The Trillion-Dollar Credit Card Industry is Moving Costs of Charges and Fraud Down to Your Business - Webinar

Will Nobles: All right. So, we are just going live with our webinar. We're going to give a little bit, let a few people in and we will get live going here in a second. Welcome to the Vector Choice webinar. The trillion-dollar credit card industry is moving and its costs, charges and fraud down to your business and where and what do you need to know? So, we're going to get started here in about 30 seconds, but love to see you guys joining. Love the ones that are joining so far on Facebook. And stay tuned with us. And we will get started here in a second. All righty, guys. Well, let's go and get started.

Will Nobles: Today we're going to be talking about the trillion-dollar credit card industry and where it's moving the cost charges and fraud, where they're pushing it down to you and what you need to know. I've got some awesome speakers, but before we talk about awesome speakers, let's talk about me a little bit. My name is Will Nobles. I'm the founder and CEO of Vector Choice. I've had the company for the past 14 and a half years and I've worked Fortune 100 and Fortune 500 companies in all kinds of aspects when it comes to networking and security. One of our special guests here today are Jon DePerro. Jon is my Chief Compliance Officer here at Vector Choice. Amazing background from counterintelligence, the NSA and all the above military guy. So, Jon, thank you so much for being with us today.

Jon DePerro: It's great to be here. And you are a great speaker, too. You don't have to separate yourself off introductions. You are a great speaker, Will. Give yourself some credit.

Will Nobles: I appreciate it, Jon. So I see, Jon, that you're in a different location than normal. I know. I just made it to Nashville, Tennessee today. Where are you setting?

Jon DePerro: Miami

Will Nobles: Miami. So, it's a little warm down there?

Jon DePerro: Same as St. Pete, but it is a little warm.

Will Nobles: Good to hear.

Jon DePerro: We have air conditioning in St. Pete.

Will Nobles: I don't think Nashville right now has ac. I think they still have the heaters on here. But it is very warm today in Nashville. But also we've got a special guest, Dan. He's a partner in charge information assurance at APRIO. Dan, tell us a little bit about yourself as well.

Dan Schroeder: Hi, Will. Had to find the mute button there. Been with APRIO for over ten years. Big CPA firm based out of Atlanta. We do business around the country. This thing of information assurance services is in many respects it's all about compliance, audit information security, and PCI has become a big portion of our business. Atlanta is in many respects, is a fintech sort of capital, one of the capitals of the nation. A lot of companies processing credit card related data merchants, service providers and the like. And so we've been in the PCI business for over ten years and we just support a whole bunch of different companies that are really trying to make sure they're doing the right sorts of things to protect their data, their cardholder transactions and other sensitive data.

Will Nobles: Awesome. Well, Dan, appreciate you coming on today, being with us, educating our customers, as well as other people watching out today on educating them on PCI with you and Jon Deperro. First, I want to share a little bit about Vector choice with everyone. Vector choice is an IT managed security compliance company based out of Atlanta, Georgia. If it wasn't for my executive team, I would not be a stay going. So, Sarah, my say Jon doesn't like this, but always say she's the smartest person in the company because she's the only one that's got the PHD in the company. Then we got Jon, Beau Dickie.

Jon DePerro: She's the smartest because she's not the IT lead. She got a PHD in something other than it. That's what makes her the smartest. The rest of us are second guessing our career choices.

Will Nobles: That is true sometimes, for sure. And then we got Beau Dickie, which is our Chief Security Officer. He's done everything from law enforcement to development all the way up to hacking and cybersecurity there. Got an awesome management team even setting on moderating today, Mrs. Chelsea Vicknair. She's coming back just in January from having a beautiful baby. And so Chelsea will be on with us. If you guys have any questions for us, please put in the Q&A. Chelsea would break and shut the three of us up, which is kind of hard at times, especially between me and Jon, to get us to stop talking. But Chelsea will break in. So put in the Q&A and she will make sure we get those questions answered for you as well. So, what does Vector Choice do? We do everything from your IT level one support.

Will Nobles: I can't print, my computer doesn't work, all the way up to Compliance and CTO services and all in between. For dark web monitoring, we do phone hosting, cybersecurity cloud services, and we're very heavy, obviously, with Jon in the compliance realm there, we've had a privilege and honor to get a lot of different awards. We've made the Inc 5000 for the past four years in a row. The MSP 501 for the past four years, and MSP 501 is the top 501 managed services providers in the world. And we made 111 this past year and other different awards as well throughout.

Jon DePerro: Number two in emerging companies, we're actually number two in their new topic for emerging companies.

Will Nobles: Awesome. I keep forgetting, Jon, we need to definitely add that up there. I keep forgetting that. So, thanks, Jon. Jon actually went and accepted that award for me because I was tied up at another conference, and I keep forgetting that. Also, location wise, we've got clients all over the country, but we have offices from Philadelphia down to Baton Rouge, Louisiana. We are based out of Atlanta, Georgia. I even got an office in my hometown in New Bern, North Carolina. So, I moved from the home of Pepsi, Jon, to the home of Coca Cola. I don't know if Jon, if you even knew that, but that's a little of my celebrity aspect of Pepsi and Coke there. So, one of the things I want to share with you guys is a new book, Compliancy Formula.

Will Nobles: If you're a CMMC, I know we're talking about PCI today, but CMMC, if you're doing any work for the DoD and any government work, you have to be CMMC compliant. That book comes out March the 30th. We'll be advertising that. It'll be on Amazon, so you can buy that book on Amazon. It's not as smart as Jon writing the book, but you know what? I'm second best up to him. So, guys, let's get down to the guts of it here. We're talking about PCI. We're talking about credit card risk. Both of you, give me the definition of PCI and what is PCI?

Dan Schroeder: Payment Card Industry. This is a standard that was put forward by the big card brands, Visa MasterCard of the world. It goes back maybe 15 years or thereabouts. Relative to protecting cardholder data. It wasn't too long ago, some of us can remember, when you'd hear about credit card breaches very often, right? Some of the big merchants and whatever used to be in the news much more than it is now. But PCI is all about a set of security related controls and standards that any organization that comes into contact with what's known as cardholder data, think of the 16-digit primary account number on your credit card and the expiry date and the CBB code and that sort of stuff.

Dan Schroeder: Well, obviously that's a big target for hackers to get a hold of, because what they've done in the past is you steal that data, the credit card data, and next thing you know, there's fraudulent transactions. So, there's a big target on all that. It's worth money in dark markets, black markets, if you will. And so, PCI is this standard that says for merchants and for service organizations and even service providers, many service providers, if you will, that have access to information systems where that credit card data is, was a set of standards about how companies should go about protecting that data. That fundamentally is what the PCI data security standard is all about. Jon, you want to weigh in on that as well.

Jon DePerro: Yeah. What I'll add, everything is dead on. It's just that essentially, over the years, they've learned what cost them money and they put a new control out. PCI DSS is the standard, right? One, two, three. Now we're getting ready in March for PCI DSS four. All new, very robust. And it's all the questions, standards, controls that, based on 50 years of credit card losses that they've learned, these are the things we need to do differently to protect ourselves. And when I say ourselves, I mean visa, I mean Mastercard, I don't mean Jon and Will. Right? So, the rules are written by the credit card companies. And I think that's very important that people understand it's not optional. You can't get different PCI rules from one company to the other.

Jon DePerro: The rules are the rules, and it applies to everyone who takes Visa, Mastercard, America Express, Discover and ACH.

Will Nobles: So, Jon and Dan both. What changes? I mean, Jon, you just mentioned March, right? The change in that March is, I can't believe March of 2023 is only 15 days away. But what changes are happening in March that is different than today?

Jon DePerro: So, like I said, like insurance companies, everybody else, everyone's looking backwards at what cost them money previously and trying to put controls in place. And some of those controls are now being a better understanding of the full scope of that cardholder data environment that we talk about. That's anywhere that Dan talked about. What is cardholder data? Right. It's anything in your environment that touches it to include the people. Right. I'll give you an example. I was talking to one of our clients last week, and they talk about PCI compliance, and were talking about the changes, and they said, well, it's okay for us. Everything is web based. We don't even just do a web portal. So, your clients call in and what? And they go, yeah, it tells the number to put it in.

Jon DePerro: I go, well, I know for a fact we've heard your phone calls for customers like, hey, this call is being monitored for training. I go, doesn't that recording have their full credit card payment information? And, like, the deer and headlights, they're like, oh, my God. We never thought about it. We're literally recording everybody's payment information. It's not the end of the world. I'm not saying you can't do that, but you have to take into account, where is all that cardholder data? You put it in a computer. Computers have perishable memory. People, employees. Does your employee have cardholder data?

Jon DePerro: The biggest change, without getting technical, for me, for PCI, DSS four is the requirement for every single vendor, I don't mean the credit card companies, I mean Bob's hardware store, to have a scoping document where they fully understand where all the cardholder data sits in their environment. How about you, Dan?

Will Nobles: Before Dan answers. So, you're telling me the guy that does my hair and I go get a haircut and I swipe on his little square, does he have to meet those as well?

Jon DePerro: He absolutely does. Now, what does he. You mentioned square, right. Which is actually another cold. And so, names were the names. They just had a big compromise this past year, right? So, they're changing the terms and conditions. You have mobile devices. Those mobile devices have the cardholder data. They're on your Wi-Fi network, right? So, people think there's a misunderstanding about who owns risk. PCI DSS four is reshaping that. You don't get to just blame square if you're in charge of your own wireless network that it's on, or if your employee takes the card and goes in the back and is in physical possession away from the cardholder. These are the new aspects that they're asking you to reassess. No one's saying you can't do those things.

Jon DePerro: You just have to be honest in your scoping document, that is how you're processing, storing, and transmitting cardholder data.

Will Nobles: Dan, your thoughts on changes?

Dan Schroeder: So, we've been operating under a protocol that's been known as version three, two, one, and it's been around for four or five years, three, two. And fundamentally, 30 goes back seven or eight years or whatnot. And a lots obviously happened to technology in that span of whatever it is, five or six years to now. In terms of the technology footprint used by merchants, used by service organizations, as well as the nature of the threat landscape, much more sophisticated. 40 is intended to really catch up that security protocol that's more in line with the more current needs for security across the payments landscape. And so, it does that by putting, as Jon was saying, more responsibilities on any entity that is processing cardholder data. And so, 40 is a big step in that direction. There's a couple of different waves of requirements.

Dan Schroeder: There's an initial wave of requirement that was released this past March and it becomes fully effective March 31, 2024. So, three, two, one is phased out, then no longer is that applicable. 40 comes into place. There's an initial preliminary set of, not preliminary, but initial set of base requirements for four that go into effect then, and then a subsequent set of requirements that go into effect no later than March 31, 2025. The initial set for companies that are familiar with PCI, and they've been doing three, two, one. It's pretty modest, the nature of the changes, more emphasis on responsibility, like what Jon was talking about. But that's pretty much the second layer of the changes that are what PCI right now calls best practices or future data changes. That can be a heavy lift for many companies, be they merchants or service providers.

Dan Schroeder: Just keep that in mind. And so, what we're telling people is make sure that you understand what this means to your business, that you certainly get the base stuff underway. For many businesses, they're going to need to go through a budget cycle later this year to deal with the changes that they're going to need to put in place in 2024 so that they're ready for 2025.

Jon DePerro: Yeah.

Will Nobles: And I've even noticed a lot of changes, especially with restaurants. They come to your table, they tap or scan you, do your credit card right there at the table with you. So obviously, a lot of the bigger chains are already making those changes and everything. So, what changes affect the small business? What is a small business going to have to do if we do not get too technical. Right. But what are the things that are sort of the steps, Jon and Dan, that they're going to have to do that's not just credit card related, but to their network.

Dan Schroeder: Jon, you want to start? You want me to?

Jon DePerro: Sure. Sure. The very first thing I tell everybody is what PCI calls a scoping document. First, you have to lay out what you have, and you have to lay out who's responsible for it. Right. Even in a small business, you may have an IT company that handles your network gear, infrastructure, the Wi Fi. You may have a card merchant who's bringing the hardware for payment, but it's on your network. You might also have other vendors, maybe your website, if you order on the website, might be a different card processor that's built in through the website. Right. So even in a small business, if you have a blended sales distribution like online and in person over the phone and delivery, you can have a pretty complicated. Who's responsible for what PCI environment?

Jon DePerro: The very first step is to have a partner who understands PCI help you with the scoping document. Like Dan said, some of the changes are going to be brutal. Some of them we think are weird. But like rogue wireless scanning once a year, does that apply to you? You need a partner that can help you understand the scope of your current environment, what changes affect you, but then also stay plugged in with as your business grows and changes, are you moving to all mobile payment will? You mentioned the tablets, right? They're really convenient. They go to the table. There's a lot of upsides to it. Does it come with additional security requirements when you have a device that can be swiped off of a table at any time? Right.

Jon DePerro: So, you just need a partner to help you understand the interoperability of multiple vendors and a responsibility matrix of who has to do what in the process. Because I will tell you the bottom line, the owner, the CFO, it's the client who has to fill out that self, that SAQ, and put their name on the blame line. You don't get to say, well, it was my security company that failed to lock the door. Like, nope, you're the one that filled out the assessment saying you'd protect the cardholder.

Dan Schroeder: Yeah, I agree with all that. Most small companies that are subject to PCI, they're going to be doing what Jon referred to as an SAQ self-assessment questionnaire. The question is whether they fall into the category of being a merchant or whether they're a service provider. Occasionally, some will be both. Chances are they're one of those two. For the time being, those SaQs under three, two, one. We're saying they're not going to be changing. The requirement isn't, again, they're not going to need to fully submit a 40 SAQ until 2025. But at a minimum, they're going to want to understand what changes are occurring for 40 that are relevant to them and make sure that they're addressing that. For companies that are. Let me just say this.

Dan Schroeder: For any companies that are a part of today's call that are service providers, you can certainly expect service providers are getting a lot more attention and oversight these days from the merchants that are using them, other service providers that are involved in that business, because everybody is concerned about that third party that potentially has access into my network, into my data, or they're doing some processing for me on my behalf, because those risks that are represented by that third party, if they mess up, then the company that's using it is going to be responsible for that. There's certainly a huge wave of activity that's been underway now for a year or two, and it's going to continue with respect to oversight of service organizations.

Dan Schroeder: So even the smaller ones we see, and this is an area I think that's maybe been a little bit overlooked in the past, and that is if I'm a service organization, a managed service provider, maybe that case, and I have access into a larger company, into their network, into their environment where they're doing their PCI related processing, that company that's using that MSP or that service provider needs to take steps to see that service provider is compliant with that's, and that's their responsibility under PCI. So, I think there's going to be more scrutiny around that. And so that means that service provider, they might be relatively small, but again, they're supporting an environment for a larger company, can expect that they're going to be getting more of those calls or more of those inquiries. In terms of are you compliant with PCI?

Dan Schroeder: Because if you're not, I may not be able to use you.

Jon DePerro: And if I can piggyback one thing on that, there's another wrinkle to it that we don't look at. We look at the SAQs and PCI requirements. Those come from the payment card industry. There's another layer for a small business merchant, and that is the deal you signed with Bob's credit card processing company, the guy who brings your machine and services it for you. At Vector choice, I review, as you know, I review those contracts with our clients with literally a highlighter to pull out all language I've never reviewed, one that didn't have clauses in it that went over and above what PCI makes them do based on the type of business they are.

Jon DePerro: So, PCI says you have to do one, two and four, but the contract you signed with your merchant provider says you'll do one, two, three and four, if that makes sense. Right. So, I want to make sure we're not also confusing that just because you've got a PCI assessment done and you're PCI compliant, it doesn't necessarily preclude you from being sued by your merchant provider for not meeting the terms of that contract. And this is why one guy charges four points, another one's three and a half because they may be putting more responsibility on you. And what triggered that one was Dan was talking about the shared responsibilities of who has what. That's another layer. Yes, there's a service provider. He is dead right about that. So, you need to have partners who know what they're doing.

Jon DePerro: There's you as a company who takes credit cards. The third wrinkle we have to make sure we're addressing is the company you chose. If there's extra language, they put in the know.

Will Nobles: Jon, I remember the days where you can go to a website, you click the link and it comes back and says, oh, you're PCI compliant. Are those days over that? It's just that quick little website scan?

Jon DePerro: Yeah, I'd argue they were never around. People hear what they want to hear, right? They read what they want. Everyone wants the good cheap message. The scan is important. There's something called an approved scan vendor and many credit card merchants will push you to the one they've preselected. That's fine, that's valid. Normal part of the business. The scans are great. They don't change the fundamental requirements that you have. We're on a call with, well you know who was, we have a client that serves multiple retail entertainment locations across a couple of states and I'm talking to the CFO, and we brought up from the SAQ a specific question. Who at your company?

Jon DePerro: I asked our client, the CFO who at your company is taking a new device, the credit card device, and making sure all the baseline admin passwords are removed before you put it into production. And he's like oh I have no idea. Well guess what, it's nobody, right? If you don't know who's doing it then the answer is no because PCI DSS they don't grade on a curve or give you credit from almost right. The question is are all devices not our 90%, not our 50%? You could have 1000 devices that are right and one that is wrong. And your answer to that has to be no because it wasn't all devices. And that's where understanding who's doing what in the process is. Dan's the auditor though, you should get. Dan's the one. He's the real auditor.

Will Nobles: What do you think about know? I hear my clients say oh I did the PCI scan and it said I was PCI compliant. How's the changes going to affect those types of quick scans?

Jon DePerro: Like.

Dan Schroeder: There's certainly that scan that you're referring to that Jon mentioned is the approved scanning vendor scan is a once a quarter thing, and all that's doing is taking a look at your network and stuff that's externally available, IPs and Whatnot, and seeing if you've got vulnerabilities that are on there. And if you do, you need to get those patched and then get a clean scan. That's well and good, depending upon which SAQ and which requirements you're subject to. There's a lot more to it than that. There's protection of your endpoints, there's management of your application, there's management of your access, et cetera. Otherwise, your network access, et cetera, management of your third parties. So, there's a whole lot more to it, but it's not uncommon for people to think, I passed that scan where we're all good when that's great.

Dan Schroeder: That's kind of a fundamental, but it's a very beginning fundamental.

Jon DePerro: Right?

Dan Schroeder: Again, a lot depends upon the nature of your requirement and how broad your PCI requirements are, because they can vary significantly. But just because I'm clean from the outside looking doesn't mean I'm clean from the inside in terms of what I'm doing. Do I have people that have access to data that shouldn't have access to it? Do I have sensitive data actually secured properly, et cetera. So, I think to say that I've got a good, in summary, to say that I've got clean scans, I'm all good is really a false sense of assurance.

Jon DePerro: Yeah.

Will Nobles: So, Dan, you're telling me if I'm a restaurant and I have a Wi Fi, that my devices, I'm doing the credit card scanning, and my guest are on that same Wi Fi, am I secure?

Dan Schroeder: I don't think you need me to answer.

Will Nobles: Playing no, I won't say dumb. I'm playing the unknown here as I'm asking you guys these questions, kind of.

Dan Schroeder: Like a rhetorical question, but for the record, I'm going to say, no, you're not.

Will Nobles: All right, guys, what is the cost? I guess obviously each company would be different. Like, what's the cost to implement this type of stuff? And then maybe what is the cost of losing your ability to run credit cards? So, let's talk about both sides of that real quick.

Jon DePerro: The trick with cost is it all depends on where you're starting from. If you've taken, like Dan has said, that the new requirements for most small merchants are not going to be huge and horrible. The problem is going to be is that the new emphasis and enforcement on making sure you were doing them. If you've been pencil whipping it, running a scan saying, I'm good, I ran the scan. That lift could be substantial because PCI assumes you're already compliant. So if they add one or two or five new things to them, it's a small lift. But if you're going from 5% compliant to 100% compliant, it's going to be painful. That's why we've been advocating let's get the assessments and the scoping documents done now. Let's plan this over a year. Let's spread the spending over a year.

Jon DePerro: Let's identify any critical deficiencies right now. Like that you're running on an unsecured, wide open guest network all your payment information, right. And that you have the same username and password for the modem that the cable company gave you. So maybe let's identify that stuff now and get you on a roadmap. And then the next big cost is going to be people who are. I think there's a huge cost coming for service companies and not necessarily they need new stuff is that they're constantly going to be having to demonstrate their compliance to all their customers. Like it becomes death by 1000 cuts. If you're constantly having to show your clients that you're compliant and you're compliant for their specific environment, it gets busy. I mean, how much time will you've owned an MSP for years, ten years ago.

Jon DePerro: How long did it take you to fill out someone's insurance or PCI questionnaire form?

Will Nobles: Not long at all. Now it's totally different.

Jon DePerro: Well, it takes you even less time because you hired the entire division to do.

Will Nobles: I don't have to do it, but.

Jon DePerro: How long does it take us right now? It's a project. It's literally a project. We put a ticket in the ticketing system it becomes an assigned project. Now it's not like I'll hear, I'll answer these things for you. It's now a no kidding project. So, if you have to do that across 100 clients that you have, it could very well be a full-time job for a new employee. So, some of the costs are not hard costs of, well, now I need a pen test and those cost x number of dollars a year. Some of it is an increased process. Yep.

Will Nobles: Dan, what about you on the call side? Dan, talk more about the cost of losing the ability to run credit cards for companies. I'm sure you've seen with auditing, I'm sure you've seen that.

Dan Schroeder: Well, we've seen companies have breakdowns in security that have really caused them to not be compliant and not being able to demonstrate that to customers and prospects can put the business at risk. And certainly, it creates a really awkward situation for them. Okay. So, it's painful. Nobody wants to go there. Okay. It's kind of an extreme when people are losing, I think the extreme for people losing their ability to process cards or if there's an egregious situation that happens at a merchant, for example, and they can't do it. If you're a service provider and you can't demonstrate that you're compliant, you can't meet the standards, then people are going to go somewhere else to get another service provider. If you're a merchant, then you're just going to get cut off by your bank or your acquiring organization, et cetera. So it happens.

Dan Schroeder: And I think that the industry, I think there's just less tolerance now is happening with respect to the non-compliance and adherence to the particular standard. So that certainly is a thing with 40, if you're subject to the full range of requirements under 40, there certainly are some more enhanced requirements around encryption. There's much bigger emphasis on access controls. You have to have not just MFA into your network, but subsequently another layer of MFA into the enclave that may be supporting cardholder data. So that needs to happen. It needs to have automated review of logs if you're not already doing all of that, et cetera. So there's some of that. And like I said, depending upon where you're at, that could be costly and difficult for some companies to put that in place.

Jon DePerro: The good news is whether it's the FTC with their new safeguards, whether it's your insurance company, you actually see a lot of external organizations or authorities pushing you to very similar standards, if not the same standards, right? So, another advantage of doing this, right, whether you're doing PCI, right, and then it drags along insurance, or you do your insurance, right, it'll drag along. A lot of this is not going to be tripling or quadrupling spend. If we align it right, we can pick a solution we call a control for a requirement that addresses everything across HIPAA, PCI, our insurance, and your state's information security requirement.

Jon DePerro: The right partner is going to look at all those things and get the most bang for your buck and say, I'm not going to spend a dollar four times, I'm going to spend $2 once, but it'll cover me on four things.

Dan Schroeder: Hey, I'm going to build up. I think that's a terrific point, Jon, so thanks for bringing that up. This sometimes can get confusing, the fact that what is PCI? PCI is a robust security standard that you're required to do if you have cardholder data. We've got companies that actually apply PCI when they don't have cardholder data because it's a good standard. But you could apply it to some other trove of data, so you could exchange cardholder data for sensitive data, Phi Ephi, some other form of PII, some form of IP. And the concepts are the same. You want to encrypt it, store it safely, minimize who has access to it, all of those sorts of things. The same concepts apply here. These are, in other words, they're just good security standards that happen to be required if you're doing cardholder data.

Dan Schroeder: But they're extremely relevant for any scenario where there's a high risk related to sensitive data.

Will Nobles: No. Okay, well, guys, my last question here is, what can a company do this year in 2023 to actually start prepping for that? Where do they start? I guess that is the biggest question. Where do they start at, Jon?

Jon DePerro: Well, like I said, find a partner who knows what they're doing and ask them to come tell you. Right. Let us in. We're going to look underneath the tablecloth at everything you swept under the rug. Right. Let us come as a partner who works for, have we had credentialed PCI guys, if they go do a credentialed PCI audit, really? They're providing that audit for the bigger PCI community environment. Same thing with CMMC or anything else. Have a partner that's going to come in and show you exactly where you're deficient with a realistic plan to make you compliant that Rome wasn't built in a day. And ideally, it's the partner that can help you do a crosswalk between all your business security requirements, whether it's your insurance or the government or whoever it is. So, to me, it's start with a scoping doc.

Jon DePerro: Start with what we call gap analysis and a scoping document. And I love Dan's point. You're right. You could be an architect firm and just know that if my designs get out, it's essentially the only thing I have to sell is my design. Right. You can apply it to anything. And I will say there's kind of a three-legged stool of the security compliance world. One are the security controls, which PCI definitely is. One is the paperwork side, which is policy procedure. Right. HiPAA is real big on and a third leg. Is recovery long? If something bad happened, how long to get back? PCI does a great job of assessing one leg of it, but we can overlap the other legs to give you a complete business solution for security and appliance.

Dan Schroeder: Dan, you say, I agree, you've got to know what it is before you can protect it. So, what exactly is the nature of the data? Where is it at? How can I tighten that scope to minimize the effort associated with all this? And don't assume, I think this happens a lot, quite frankly, with saqs, that there are some assumptions that we're doing those things when we're signing. Yes, no. Whether we're doing it or not, I think you're rolling the dice a little bit with that. If you're doing it, because you may not be doing it or you might get challenged on that and it could hurt your reputation. So I think that all just parallels and just sort of adds to the great advice that Jon had.

Jon DePerro: Great. And what I tell people, if you don't know, let's say you're interviewing a partner, a solution provider, and take your Saq, grab one that you don't understand. You're a CFO, you have no idea what encryption, I don't even know what this is. And they say, oh, yeah, we do that. Show me. They should be able to show you. They should have, Dan talked about those automated logs. They should have logs we call artifacts and evidence. If you say you're doing something, it should be easy for you to show it to me. If they can't show it to you, they will not be able to show it. To be honest, to the guys that work with Dan, when the insurance company hires them to come in and do an audit, right. If you can't show it, then it doesn't actually exist.

Jon DePerro: So, show me is a great qualifying question. If your partner is helping you with an SAQ and they're telling you, yes, it could be your internal it guy who you love to death because he's been at the family business forever. And if he says, yeah, we're good on it, just say, then show me. Because if they can't, then they're mean.

Will Nobles: Dan. I always tell Jon, I think of it, security and compliance sort of all the same in the way, but it is actually doing the work and actually doing the fixing, breaking, fixing those things. The cybersecurity portion is the software that actually helps protect and monitor and control that. Compliance really is the documentation that actually proves that you're actually being compliant and all these tools and things that you're doing in it, and cybersecurity is actually being followed. Dan, would that be your assessment as well?

Dan Schroeder: Absolutely, Will. And in many respects, the business that I'm a part of and founded is that compliance aspect. You could say audit is a degree of compliance. And it's funny how many times I could think of over a couple of decades now, people are doing things. It's there. But coming in to do the show me, let's get the evidence piece that drives change. A lot of times it's not so easy to prove that we're doing it. If we can't prove it, then really, how consistently is it happening for PCI purposes or whatever else it is? And if we're not sure that it's really happening, then how secure are we? So, it's not just about meeting some regulation, but chances are the transactions that are being processed there, the network that is available, that's important to safeguard the business and its reputation.

Dan Schroeder: And so, again, so the compliance, in many respects is that piece that comes along having to go that extra mile to really button up the procedure to be able to prove that's happening. That's why there's value there, and that's why people require compliance just for that.

Jon DePerro: Definitely.

Will Nobles: Well, guys, I appreciate you guys being on. So, if you have any questions for me, Jon, you can contact us at or the 1877 phone number here for you guys being on today, I'm going to give Jon's time to you guys. So, he loves when I do that, but I'm going to give you guys a free consult with Jon. Scan the QR code. The team will put it here in the chat as well for me, but there's the link QR code and the link will be in the chat. But feel free. Book some time with him and talk about your credit card processing, where you're at, the form that you filled out, make sure that you are actually following that. If you're a client of ours, definitely reach out. We want to make sure you're protected.

Will Nobles: And if you're someone that's just listening and you guys just want Jon's ear, feel free to scan the QR code. Reach out to Jon again. I love giving his time away. Guys, Dan and Jon, appreciate it, guys, I know it's later in the afternoon for you guys to jump on, but thanks for jumping on today.

Jon DePerro: Hey, shameless plug for any of the service providers out there. Dan knows more about sock reports than anybody I've ever met in my life. If you got a sock two type two conundrum, there's another here. I'll give away Dan's time now. Call Dan. Call Dan. So truly knows more. And those of you who know me know I know a lot of people in this world, right? Dan truly knows more about SOC 2 type two than anyone I've ever appreciated.

Dan Schroeder: Like Will, we've got a phenomenal team. We've got over 40 people that just live. That's all we do is SOC, ISO, PCI and all that. So thank you for the shameless plug, Jon and Will, thank you very much.

Will Nobles: Dan, thanks for joining me today. Yeah, thanks for being on. Well, everybody, Facebook on the webinar here. Thanks for joining us today. Stay tuned for our March webinar coming up in the middle of march. Have a good one, guys.