Skip over navigation

Security and Compliance in B2B eCommerce

The B2B eCommerce Podcast

Oro Podcast

Key Points

  • What's the difference between security and compliance? Here's a simple way to look at it: compliance is a one-time once-a-year, come in and see how you're doing deal. And security is something that you do all the time. In other words, security is about taking action to prevent bad things from happening to your organization.

  • In security, you're always dealing with the tension between individuals and assigning responsibility. There’s tension between users, organizations, and technology providers. The prevailing thought is that technology should solve everything; the technology should be secure. So it’s both an education issue and a responsibility issue.

  • On the other side of the equation are the complex privacy requirements, and the complexity of businesses themselves. Organizations tend to share data with other business units or entities that the company owns, not to mention various third parties. And all this weighs on businesses as well.

  • The most important thing is not to think of cybersecurity as a burden on your organization. You can put your head in the sand, you can take ownership of it.. However, even if you can outsource the responsibility, it doesn't mean you've outsourced the liability of what could happen down the road.


Security and Compliance in B2B eCommerce

Full Transcript

Jary Carter: Good morning. Good afternoon. Good evening, wherever you are. My name is Jary Carter, and I’m the host of B2B commerce uncut. Happy to have you here participating with us today. I have here with me, Mr. Jeff man who is a Senior Information Security Consultant at Online Business Systems. That’s a mouthful of a title Jeff has over here. Well, he’s been an evangelist for data security for over 40 years. His experience spans security, research, management, and product development for roles for public and private companies, as well as government agencies like the Department of Defense and the National Security Agency. Jeff, welcome to the podcast. Happy to have you here.

Jeff Man: Happy to be here, having you know, one of the many things I do is podcasting myself. So it’s a fun change to be sort of on the other side of the microphone for once.

Jary Carter: You’re you’re either out in the hot seat or in the hot seat, whatever, whatever way we look at it. Happy to be chatting with you here. We also have Joseph Kirkpatrick, who is the founder and president at KirkpatrickPrice. Joseph is an IT security professional. He specializes in data security, cybersecurity, IT governance, and regulatory compliance. He’s a CPA with 25 years of experience, holds a whole host of certifications, spearheaded numerous initiatives at KirkpatrickPrice and led 1000s of audit reports and IT security engagements around the world. Joseph, it’s an honor to have you here. Thanks for joining us today.

Joseph Kirkpatrick: Yeah, I’m really looking forward to talking to you guys and talking through this important subject with you.

Jary Carter: Yeah, it is such an important subject is becoming increasingly important, seemingly in recent years, I would love to just get into introductions around the two of you. I’d love to just understand how you got into the space, a little bit of your background. from your own perspective, you both have wildly impressive bios. But we’d love to hear kind of how you how you got to where you are today. And let’s just start with you, Jeff.

Jeff Man: Sure, thanks, Jerry. I’ll try to be concise. It’s compressed 40 years into 90 seconds or so. Primarily, I got my start in information security working for as you mentioned, the Department of Defense and my first real job was as a cryptographer for the National Security Agency, which of course, is protecting communications, protecting information. I was there in the mid 80s to mid 90s. So sort of at the, you know, the cusp of when the internet was becoming at least publicly available and caused the explosion that we know now today as the digital world, what we call cyber.

Sort of shifted over into to cybersecurity, although we didn’t call that at the time, in the early 90s, because I was working with a small group of guys that were looking at how to break into computers and networks because they were becoming more of a thing. And you know, we’d all seen movies like war games, and sneakers or hackers. And we’re like, that’s kind of cool. We want to do that. So I ended up looking back on it can say that I was sort of a founding member of the first NSA red team and went out into the private sector shortly after all that happened. Primarily trying to help companies of all sizes, shapes, and forms figured out how to do connect to the internet in a secure way.

Somewhere along the line, I fell into PCI payment card industry. And, you know, it came out in the Data Security Standard came out in 2004. And I was handed it to me by a boss back in 2004. And said Here, read this, we’re going to do it, I read it and I said this kind of makes sense. I’ve been doing it ever since basically. So you know, I can wrap up the last 15-16 years by saying I’ve been a QSA, working with hundreds of companies of all shapes and sizes. You know, trying to help them understand how to do basic information, cybersecurity, given their environment, given their vertical and given a certain set of requirements that they’re kind of bound to if they want to engage in commerce, at least with credit cards. So that’s me in a nutshell.

Jary Carter: That’s great. You have such an interesting and rich background. I’m excited to ask some questions about that today. Let’s, Joseph, we’d love to hear your background as well, if you wouldn’t mind just giving us a little bit of a thumbnail sketch of how you got into where you are and what you’re doing now.

Joseph Kirkpatrick: It all started for me in 1984. And 1984 was the year of the computer. It was the timeframe when the IBM CEO said that no one would ever want a computer in their home. And the personal computer was the Man of the Year for Time Magazine. And that year, and so that was the year that my parents sent me to a class on computers, they were very forward-thinking, and I was I was 13 years old. And, you know, I just decided, wow, I want to work with this.

So when I got out of college, I did systems engineering work. We were installing Windows for Workgroups for companies who were converting from Novell. And I worked in systems engineering for about, I guess it was about 12 years, and was doing that for banks. And being a highly regulated space, they started coming to me with questions about satisfying these different compliance needs and satisfying the bank examiners on the different things. And they started asking about data security.

And as a result, we did risk assessments and penetration testing, and help them write their information security program. And once I got involved in that, and got a taste of that aspect of things, I decided I really want to specialize in that area. And I saw the need for it and the importance of it. And that’s really what got me focused in cybersecurity.

Jary Carter: I remember seeing hackers in the movie, theater, Jeff, which was like such an iconic movie for me, Joseph, my first job was at Novell. So my very first tech job, right out of college was was at Novell. And 1984. Going into computer class, your parents really were forward-thinking I think that was not on most people’s radar, in, you know, sending their kids to computer class. So very, very cool.

Let’s, let’s jump into it. There’s, there was a question kind of before as we were preparing around compliance and security? Are they the same thing? What is the difference? Jeff, like, you know, we’re talking here and in about both security and compliance, unpack both of those for us and the differences?

Jeff Man: Well, it’s one of those questions where you ask 100 professionals, you’re gonna probably get 100 different opinions. So this will, this will be my take on it. And in the way I’ve really tried to help my clients over the years, there is an understanding, or there is a misconception, maybe it’s a better way to phrase it that that compliance does not equal security. And the perception is, and again, it depends on who you talk to. Either compliance is just kind of a silly nuisance exercise. It’s not really real security. And it’s not reflective of all the things that the security people do within organizations. And so it’s viewed by sort of one camp is something that’s very simplistic and very checkbox oriented, you’re not really proving that you’re doing anything, you’re just saying that you’re doing stuff.

Now flip that around, because I’ve worked with, as I said, in PC, I’ve worked with companies for almost 20 years, trying to follow this, this silly little list of, you know, depending on how you slice it over 400 specific requirements, that you have to do every one of them. And companies struggle to meet every one of these requirements. And they struggle to consistently meet the requirements. A lot of the requirements, a lot of security in general has to do with continuous processes doing things on the regular, which feeds to sort of this misconception between security versus compliance to is that compliance is a one time once a year, come in and see how you’re doing. And security is something that you do all the time.

Well, a lot of PCI requirements are you doing this thing daily? Are you doing this thing weekly? Are you doing this thing monthly? Are you doing this thing periodically, so it’s meant to be reflective. So that’s my sort of backdrop security is doing a whole lot of things to try to either a prevent bad things from happening to your organization. And we’re be detecting that something bad is happening to your organization. And hopefully minimizing the damages, minimizing the consequences, and compliance. And that context is simply, here’s a measuring stick, here’s a way to evaluate or assess how well you’re doing all these basic security things. So to me, compliance is just a reflection of security. They’re kind of one in the same thing. But that’s my silly little opinion.

Jary Carter: Not silly at all seems very well thought out, well articulated. And I appreciate that perspective. Joseph, in the spirit of compliance, you’ve, you know, you’re an expert in this, what compliances are usually required for a manufacturer or distributor to be selling online. And when you go into, you know, a company and talk about compliance, what are the things you’re looking for?

Joseph Kirkpatrick: Yeah, so if we’re specifically talking about a company that’s moving online, you know, maybe they’ve had a traditional brick and mortar environment, they’ve had, you know, a distributor model, but now they’re, they’re moving into the online presence and starting to engage with people in other states, other countries, all those kinds of things, you know, you very, very quickly get swallowed up with all the compliance requirements, most people dive right into offering those new services or doing business online.

And there’s, there’s a reactive sense of responding to things that a customer might ask or regulatory body might ask. Speaking in the year 2022, I think privacy is at the forefront, if you are moving to an online presence, if you’re starting to serve people who are in different places, you have to be aware of the laws that are relevant to where your customer bases. And so if you’ve got a customer in California, you have to be concerned about the California Consumer Protection Act, if you are working with a client to is in Europe, you have to be concerned about GDPR.

And so one of the things that a company has to do when they’re making that change is they have to have a program to understand what data are we collecting from people? What data do we have to maintain? How long do we maintain it? What is our policy to do that? Do we give access to that data to the people that it belongs to such as the consumer? Who in our organization has access to it? Is there a right for them to have access to it?

There are a lot of things to think about in terms of, you know, the data, the data that we collect in the eCommerce world? And then what we do with it, you know, Can we can we use the transactional data when we make a sale to someone? Can we use that now to market additional things to them? There are laws around that. But also, can we share that data with another business unit or another entity that our company owns, or a third party that we work with? So these are all very important questions to ask that are really, you know, derived from a lot of the compliance frameworks that are out there.

Jary Carter: Yeah, so it does sound like it’s a bit, you know, obviously, there’s a bit region and location-specific. And then there are also some guiding principles around, you know, really preserving customer privacy is at the core of a lot of what you’re thinking about, and really what a lot of the laws are thinking about. The compliances are thought about as a framework. I would love to understand from both of you. This is the current state of affairs in enterprise tech security, what are the biggest threats? What are the trends? And just maybe while we have you, Joseph, while while while we have you talking, I’d love for you to start with that. Just what are what’s kind of the current state? What do you see?

Joseph Kirkpatrick: You know, I thought 10 years ago, I was excited with this industry and this work, you know, I thought it couldn’t get any better. 10 years ago, I love new things. I love change. And I love technology and security and all that and I thought well, we’re at the peak, you know, but I’ll tell you what, we’re we’re just it’s never been more exciting. The things they’re happening and a lot of that excitement comes from really bad things happening.

And you know, if you follow all the releases that come out from government agencies from industry groups, it’s impossible to keep up you Now with the breaches that are occurring, the vulnerabilities that are being discovered the threats that are no longer for the military or the government to be concerned about, but for a small business to be concerned about, and, you know, can we be breached? Can we be shut down? It’s just really hot and heavy right now.

And so I think that the trend, I think you said, what’s, what’s the trend? It’s really just what, what do we not know. Because with every release, it’s something that has been exploited for an amount of time that we didn’t know, was being exploited. And so now we have to check our systems and the third party that we have a relationship with and technology that we have in place over here, we have to check to see – Oh, are we exposed because of this thing that has just been revealed? And so it’s just a constant revelation?

Right now, it feels like daily about the unknown, something that we couldn’t have foreseen we couldn’t have planned for and, and so we as organizations, you know, don’t need to be reactive to that, to that we need to be planning for how do we respond when we become aware of some new threat that has been published or reported?

Jary Carter: Yeah, it’s, I liked what you said. A lot of new laws and regulations come out of things that have gone wrong, it doesn’t seem like that’s how the world progresses. Like there’s a law on the autobahn, that’s it’s illegal to run out of gas, like who was the person that ran out of gas on the autobahn and got hit it, you know, their car got hit at 120 kilometers per hour? But yes, it is, you are seeing a lot of the things that are happening in the world in terms of data breaches or security. You know, where things have gone wrong, that are driving a lot of the innovation and laws that are happening now. I really appreciate that perspective. Jeff, I’d love for you to weigh into this as well. What are some of the things that have you excited in the current state of enterprise tech security?

Jeff Man: Well, caveat, my response by saying, I don’t like to think that I get excited about any of this. I’m sort of everything that Joseph’s excited about, I find depressing.

Jary Carter: But now we know the optimist, and the pessimist.

Jeff Man: It’s interesting, you brought up this analogy of the autobahn and, you know, casually mentioned, you know, everything seems to be reactive. But that’s, that’s really the essence of security is is we learn from previous mistakes, we learn from bad things happening. I can, I can remember when I first read the PCI data, Data Security Standard, you know, the 400, some odd requirements, you know, when it came out almost 20 years ago, I’m like, oh, yeah, I know why this rule is there. It’s because this happened. I mean, it’s virtually every single requirement in there at the time, was because it was trying to cover the bases, and have something that bad that happened, some sort of compromise, some sort of breach.

I see a lot of tension. In our world, there’s competing forces. And if I get excited, it’s that there’s job security, maybe I get excited when I can sit with a client and try to help them get to the point of understanding why do we have to do all this stuff? It’s it doesn’t seem to make sense. And some of the things that I see, and this is certainly not comprehensive. But I think, you know, since the dawn of us emerging into this electronic digital cybersecurity internet world, there’s been a belief that by consumers, let’s say, including organizations, that security is something that’s going to be taken care of by somebody else, the technology should solve everything, the technology should be secure. We shouldn’t have to worry about it.

And if you talk to anybody that’s been around this industry, a reasonable amount of time. You’ll very often hear stories about you know, the weaknesses and the things that cause companies to get breached very often or not so much the technology in and of itself, it’s the way the technology has been misappropriated misused, misconfigured users, the people, elements aren’t doing things properly aren’t doing things the way they’re supposed to be doing.

And so you have this tension between.. Well, I should be able to do what I want, given the technology that I have, and I should have a reasonable explanation expectation that it’s secure, and I shouldn’t have to respond.

I think it is fascinating when organizations get breached, and we see him in the headlines very often, we always love to beat up on these companies, because they didn’t follow good security, they didn’t have good security practices. They weren’t doing the right things, what, you know, there was this inherent weakness. And we seem to forget that, at the end of the day, they’re a victim of a crime that, you know, somebody committed a crime against an organization that put them into this situation.

So this concept that you know, there’s responsibility for achieving a certain level of security so that you have, in the early days of PCI, they called it Safe Harbor, you know, you’re not gonna get in trouble, you’re not gonna get faulted for getting compromised or breached. If you’re doing some reasonable amount of security. And after that, it’s like, well, it could happen to anybody. That hasn’t really changed over the years other than there’s less than less idea of Safe Harbor. And there’s more and more beating up on the poor victims.

And very often it’s legitimate, because either they’ve, they’ve completely missed the boat on their employee awareness, employees doing the right things, having this sort of culture of security, knowing what you can and can’t do in terms of your business processes and your daily job, your daily routine, versus that expectation, like I said that security is being done by somebody else, security is somebody else’s responsibility within the organization. And so it’s okay, I can get, I can do what I do, because I’m covered.

So what excites me is there’s this never-ending tension. And there’s this need to try to open people’s eyes or pull the wool off some people’s eyes, depending on what analogy you want to use to just try to promote a better understanding of what’s at play here. What’s involved in terms of securing an organization or securing data these days?

Joseph Kirkpatrick: I love this. I love this aspect of what’s going on, you know, because there is this just strong desire for people to, to pass the buck on security, and they don’t want to feel responsible, you know, and it’s, it’s just a strong desire that humans have to, to know that somebody else is responsible for this, right, because they feel chair and wholly inadequate.

They feel unprepared, they, they don’t have the knowledge, they don’t have the skills to confront this, this growing complicated threat. And so they just want somebody to be responsible for it. And so some of the common things, I’m sure Jeff sees all this as well, but you go to an environment, oh, we moved everything to this cloud provider. And now they’re responsible for security. We have this relationship with this managed it are managed security company, and we’ve signed a contract with them, and we pay them X amount a month, and they are responsible for our security.

And they just want that to be true, so bad. And the truth is such an important issue that affects your business, you can’t ever advocate yourself, have that responsibility, you’re always responsible for it. And then you have to manage these relationships that are impacting the issue, and that are critical for the issue, but you just can’t, you know, not be responsible for something that’s so critical to the success of your business.

One time, this was just something that stuck out in my mind. I was doing an audit for a company in in Minneapolis, and this was a big, big company. And I was going to be there for a week to perform this assessment. And every question that I asked the answer was, we have this service provider that does that for us. We have this service provider that does that for us. And so that’s what the entire first day was the first day it was we don’t we don’t do anything with that because the service provider does that.

And so finally, at the end of the first day, I just said sounds like we need to talk to the service provider about all this because you don’t have any of the answers for what I’m looking for.

And so we decided to get on a plane and fly from Minneapolis to St. Louis because that’s where the service provider was. And so the next day we had a meeting with the service provider, and I started walking through this issue? And they said to every question, they said, Well, we can do that for them. But no one has asked us to do that. And then the customer was saying, Oh, I thought that you were doing that I thought that you were monitoring our firewall, we offer that. But no one has instructed us to do that. And you haven’t told us what you want us to monitor. And you haven’t told us what you want us to do with the thing that we are monitoring. And that was a long time ago.

But that kind of thing still happens today, especially with the cloud providers, people make these assumptions that the cloud providers are responsible for all of these things, but they’re not unless you take responsibility for establishing the policies, enabling the controls, assigning responsibility for people to monitor these things, and, and take action whenever there is a finding that happens. And so there’s definitely this, this huge desire to relieve yourself of responsibility in this area.

Jeff Man: Well, if I can dovetail on that, or Yeah, I think what you’re saying, Joseph, you know, very specifically the services are available. What you’re not saying is, but should be obvious to everyone is, there’s a, it comes at a cost, you can, you know, you have to pay for it. And there’s an aspect to all of this, where maybe we should bring it up a little bit more is that you know, security and all the things that you have to do associated with security, regardless of the compliance standard cost money, if not in terms of product and technology in terms of time and resources and training, personnel assigned.

And, you know, I think the early selling point of the cloud, and I won’t name the guilty, AWS is coming to the cloud, and we’ve got all this covered for you even we’re PCI compliant. But if you read the small print, they were covering, what we used to refer to colloquially is lights and power, you know, they were a data center that was hosting servers, you know, it was in the magic wiffle about some of the cloud. But all they basically provided the security for was the physical security of the systems wherever they were.

Now, you know, that was 10 years ago. Nowadays, they have full blown programs, they’ve got services for virtually every security requirement you can think of from scanning and monitoring, and testing and access control, multi factor authentication, you name it, they’ve got it. But it all comes at a cost. And you know, at the end of the day, maybe the the best way to explain to clients in a language that they can understand is security comes at a cost. And you have to figure out how much you want to spend, where’s the right way to spend it, where do you make your investments.

And of course, then you have all sorts of solutions out there that are telling you how you can increase your ROI makes security part of your profit center. I’m not gonna say I completely disagree with all that. But you know, that security comes at a costs, figure out where you need to spend the money, figure out the right mix, and figure out when it’s cheaper, more cost effective for you to do it, versus a third party, but for God’s sake, make sure that third party is doing it for you, as Joseph was alluding to.

Joseph Kirkpatrick: You know, when I when I see these providers, and these tools, use the same marketing hook, which is use us and we will make it easy for you. You know, I always shudder at that because it the reason they use that in their marketing is because it works. You know, people want that to be true, so bad, you know, everyone Oh, good, I can sign up for this. And then it will be easy.

That’s like a, that’s like a strong selling point, you know, but the truth is, it’s it’s all these things that Jeff was just talking about, the things that you then have to engage upon and ensure that the provider is doing this and ensure that the provider has what they need in order to be able to do the thing, that ultimately has to come from you. It is a difficult thing. And so the marketing message of, work with us and we will make it harder, that doesn’t work.

But the truth is sometimes a good security partner is going to bring things to you that are hard issues, and they’re going to talk to you about things that are difficult and to ignore those things might be easy for a short period of time, but a good security partner is going to bring some very challenging things to you and then they’re going to work through those challenges together.

Jary Carter: Yeah, that’s great insight. I want to just let folks know. And our producer is ready for folks that have questions. If you have questions, ask them in LinkedIn or here in the chat, we want to answer as many questions as we can in the time we have. I wanted to ask just one more question. Before we get to maybe some of the outside questions, which is horror stories, you know, people, you know, we talked about learning from mistakes, learning from issues, any horror stories from your previous experience of failed security, costing businesses revenue reputation, like, I would love to get you all’s perspective on that? And Joseph, maybe, you know, given that you’ve been in this, you know, doing audits for companies, I’d be curious if you have an interesting story or two.

Joseph Kirkpatrick: Yeah, you know, we are usually in the line of fire in terms of being contacted by someone who has just been surprised with something and you know, they’re, they’re needing help. And so the, the most recent one for us was a farm supply organization, they traditionally had been a locally focused supplier, and they were moving online. And so this was a huge undertaking. For them, it was critical to their mission, critical to their strategy in order to get this up and running.

And they worked really hard, you know, spent a lot of money spent a lot of time on developing the E-commerce platform, and they were planning on having a much greater reach. And so the time came for that to roll out. And they were unable to get cyber insurance. And that was a shock to them. And, you know, anyone, anyone who’s been dealing with cyber insurance, you’ve noticed that it has changed, there was so much that was impacted because of ransomware. That the cyber insurance policies have all been rewritten.

And they’re they’re a little more scrutiny is in there, you know, due diligence and things like that. And so this organization was not able to get cyber insurance. And so now they’re having to go through all these things that the insurance provider is is requiring, you know, have you had a risk assessment? Do you have endpoint protection? Are you doing security awareness training, it’s that compliance list that we talked about earlier.

And the truth of the matter was, they weren’t doing those things. And so they couldn’t get the insurance and so huge impact to their, to their bottom line as a result of not considering the impact of security and compliance to this very important mission that they had as a business.

Jary Carter: Yeah, great example. Great example. Jeff, do you have anything you would add in that scene?

Jeff Man: I’ve got a million of them. But let me share two one is one is more of a generic, something I see very often these days, you know, especially since we’re supposed to be talking about B2B which in in a PCI context is third party service providers, people that are sort of in the middle between a retailer or a merchant and the back end card companies, banks and things like that, especially in an E commerce contexts.

You know, we’ve been talking about the outsourcing and putting stuff in the cloud. I see very often these days a scenario where you have a retailer or a merchant that wants to do e commerce. And so they have to have a website. But they don’t have developers. So they go to a third party to create the website for them. And of course, there’s companies out there that specialize in that.

They also need to put it somewhere hosted somewhere. Now, it’s more common to put it in the cloud somewhere. But it’s very often not the merchant that’s engaging with the cloud provider, it’s one or more of these third parties. And then not to belabor the shortcuts that you can sometimes take in PCI, this one of the streamline things is to engage in other third party that just does the the checking out the you know, if you do something, if you buy something online, and you go to the checkout page, where you’re eventually going to put your credit card in very often that’s a completely other company.

So you’ve got in this scenario, three, four or five different entities very often that somebody’s doing the security, we hope for overall, the guide, the measurement is the PCI Data Security Standard. And it starts in terms of liability if there’s a breach with the merchant, they are the ones that are still As to be reporting PCI compliance. And they say, well, we don’t do that we have this third party. And then that third party says, well, we don’t do that we have this other third party.

And very often, I have this strong belief that things aren’t getting done from a security perspective, because everybody thinks somebody else is doing it. So that’s one scenario.

The second one is more of an application of the Lessons Learned type of thing. I had this this situation with a client just a couple of weeks ago, I was doing an on site assessment, going through all the different security controls. One of the controls in PCI is that you’re supposed to monitor periodically, for the presence of any kind of rogue wireless access points, or any rogue devices on existing wireless networks. This particular company had technology in place that rather than doing it periodically, once every 30 days or 90 days, they’re doing it basically real time, they’ve got sensors that are up and running. And just part of what they do in terms of creating a wireless environment is to continuously check and report on any presence of unknown devices or any rogue devices.

Sounds great on paper – like wow, you’re just blowing the doors off the requirement, you’re going way beyond the bare minimum. So okay, so the issue I had though, was we were doing site visits of different retail locations. And this one particular site that we visited, the particular device happened to be unplugged. And so I asked a question, why is this unplugged? You know, two weeks into it, I’m still waiting for the answer. But the bigger question I have is not why was it unplugged. But why wasn’t your whiz bang reporting mechanism identify it? Flagging or alerting the fact that sensors dropped?

So I mean, the lesson learned is, it’s not enough to just simply put the technologies in place. You also have to know what to do with the results and the outcomes and know when something weirds happening, so you can respond to it. I don’t suspect that it’s any nefarious activity. But I do question how well they’ve embraced the sort of the procedural process aspect of security, when they’re allowing the technology to do what it does. And it seems like they’re not paying attention to what it’s producing in terms of output. So I share that as more of a, a very strong nudge, to think about how you implement a lot of the security solutions that are out there.

Jary Carter: Yeah, um, it’s, it’s interesting. You all talk about this, because I, and, and will, this will be the last thing we kind of end on. Because we see, like what I’m hearing from both of you really strongly in this, and if it’s, if it’s a takeaway, I think for our audience, one of the things I’m hearing is like, don’t actually look to your third party vendors as a panacea for your security and compliance.

Particularly your technology vendors, don’t look at them as a panacea for, you know, the compliance and, and, you know, security needs that you have as a business as a company, you’ve got to take responsibility, and understand your market your customers, the regulations in your industry, and, you know, really take responsibility for what’s happening there. Did I catch that? Right, Joseph, Jeff, any final thought you have?

I mean, that seems like it’s been coming through like loud and clear in like bright keeping lights.

Joseph Kirkpatrick: That’s not where the assurance comes from, you know, the assurance come from a product that you use, or a provider that you have relationship with, you’re responsible for this thing called security. And it’s, it’s something you’re always pursuing, you never actually arrive at it, you can live in the state of security, and you can, feel like you’ve kind of, you’re experiencing it, but you have to be ever vigilant, and you have to always be pursuing it.

And you know, I love what Jeff pointed out about. I mean, pretty much today, everybody is going to have these relationships that are all important to this security goal that you have. And the problem that he’s pointing out, which is a huge problem is there’s no one, auditor or assessor or regulatory body who’s who’s looking at that. In its context, they divided up in so many different pieces and they say, well, this person is responsible for this and so somebody’s over there is looking at that, you know, exactly as he described.

And, and I know Jeff will be able to complete my sentence, you know, when you come in and you want to look at things in context, and you want to look at this piece and that piece and that third party, the response you always get is, well, we don’t want you to look at that, because that’s not in scope. That’s not in scope. And so when you hear that, you’re just like, ah, it is in scope, your security is always in scope. We shouldn’t be slicing and dicing it. And so yeah, I’m glad you picked up on that, because it’s it’s definitely a huge concern of mine as well.

Jeff Man: Yeah. Yeah. I want to echo what Joseph said, you know, I think he and I met, I don’t know how many years ago at a PCI meeting, where we were we got we kind of got together and bonded over all the banners of all the vendors on the expo floor, you know, as he had alluded to earlier, we can make PCI easier compliance, easy security easy, make it go away. In a few minutes, you ease your burden.

I’m like, Oh, my God, if you think of security as a burden, you’ve already lost. So yeah, I mean, what old timers like us try to do is try to just educate and give companies context and help them understand you really can’t outsource security, you can outsource the activities, and you can outsource some of the specifics. But responsibility in that overall, comprehensive, taking that logical step backward look at how does this all work together? That’s very often lacking.

And there’s, there’s not enough of people like us to do the auditing and assessing that seem to embrace the fact there’s something wrong here, because nobody’s taking that, that. That bigger look at things is. And to underscore what what Joseph said is, in my analogy, and my horror story, yeah. Everybody looks at the single point and says, Yep, you’re fine with what you’re doing. Nobody’s taking that big look, until something bad happens, by the way.

And when something bad happens, the people that are going to come and find you are going to first go to technically it’s the acquiring bank, but the acquiring bank goes to the merchant and says it’s all on you. And it’s it doesn’t matter who you claim is supposed to be doing it for you. It falls on you in terms of liability. And again, that’s a dollars and cents type of thing. It’s an economic decision.

But you know, don’t think you’re selling yourself cheaper or being economical by pushing stuff out to a third party, because they claim they’ve got you covered. You make sure you consider all the costs, and you can outsource the perhaps the responsibility, but that doesn’t mean you you’ve outsourced the liability.

Jary Carter: And with that, we’re going to end on that quote, because it was it was very, very good. And I think actually encapsulates the conversation that we’ve had here today. I want to thank you both, for coming in for lending your perspective, for sharing your expertise. Today’s conversation has definitely lived up to the brand B2B. This is B2B commerce uncut. It’s been definitely unfiltered. There’s been no, you know, nobody’s trying to sell anything except for the fact that we want to keep you all safe as you engage in E commerce out in the market. And as you’re as you’re out there, really pushing your business forward. I really appreciate both of your perspectives.

Joseph and Jeff, I do want to say we want to follow up with any questions asynchronously, so please submit your questions, ask those along the way. We also want your ideas for upcoming topics. So we’re gonna drop here a landing page in the chat for folks to submit ideas for future podcasts as we as we continue to the B2B commerce uncut. Thank you both so much for your time today and thanks, everybody, for tuning in.

Back to top