Watch to learn how you can monitor your iframe, ecommerce, and payment pages for eskimming and protect customer payment card data.
In this demo, Brian Cole will show you the key features unique to SecurityMetrics Shopping Cart Monitor, one of which is that there is no installation needed.
Brian will also discuss how this tool helps meet new PCI DSS v4.0 requirements.
This webinar was given on March 21, 2023.
Well, thanks everyone for joining. I see more people coming in.
I appreciate you taking the time out of your day to listen to two sales guys talk about a hot topic, PCI four point o.
Excited to share what we know and give you a unique perspective from the sales guys. You guys are probably used to listening to more like the QSA speak or a technical resource, but today, we're gonna go through a sales webinar.
So I my name is Jason Leland. I'm the director of enterprise sales.
I've worked for Security Metrics for twelve years now.
Didn't know PCI was a thing until I started here, but, been in it ever since and seen a lot of changes and how the standards evolved.
And so I have a lot of good experience there and just seeing what customers have done, and hopefully, I can share that with you. Just personally, I I enjoy, jujitsu as a sport.
I have, three boys and and I've been married for about the same time, about twelve years. So I just I feel like my life just revolves around wrestling, either at jiu jitsu or at home with my kids.
I am going to be presenting my my co presenter, Brian Cole. I'll let him introduce himself.
Thanks, Jason.
Yeah. I've been I've been at SecuritMetrics for almost eight years. I'm the manager here on the enterprise team.
Excited to, share with with with you all the experiences Jason and I had over the last seven years, what we've learned, how we've helped our clients.
I also have three children.
My life revolves around PCI and and little league sports pretty much at this at this point in time. So it's it's a good time.
Awesome. Thanks, Brian.
Just a quick look at the agenda.
Gonna be kicking off with how we, as a company, have helped our customers prepare for PCI four auto assessments.
What we're doing to help customers address the new requirements that are coming out with four auto, and then the classic sales guy close, why you should use security metrics. We're gonna focus on some of those details too and what separates us within the industry.
Just a quick reminder too. If anybody has any questions as we're going through this, submit them to the chat. We'll go through them at the end. We'll also be doing a recording of this, and we'll send it out, to everyone who registered.
Thanks, Brian.
Just a quick recap and overview of security metrics.
We've been around since about two thousand, but PCI came around two thousand five, two thousand six where, really, we took off as a company. That's when we became a a QSAC or a QSA company. We're part of that first group of applicants to become a QSA. We've been doing it since it started. And it's it's really been our bread and butter ever since. You know, every year as we plan as a company, it's always around PCI and what we can do to be more involved there.
And it's our it's our main focus as a company and and what we're doing.
Outside of being a QSA, we're also an ASV. We're a PFI. So we're that approved scanning then fix you the forensic side of things. So if companies are compromised, we help them obviously figure out how that happened and, help them start stop the bleeding. We do seem to win awards as a company fairly often. The most recent one was the twenty twenty three cybersecurity excellent award, and that was specifically to our audit team and the work that they're doing. So, they do really good work, and we'll talk a little bit more about that in our in our presentation.
To give you a quick snapshot of a few members of the team, we we typically spotlight these people.
Gary Glover, he's our VP of assessments. He's over the audit side of the house and also our penetration testing teams.
He was the actual one that was in that first group of applicants to become a QSA.
And you can see he's been doing it for seventeen years. And I think the thing that we highlight the most and the similarities with all these all three of these people is their overall experience in IT.
As a company, one of the things that separates us, we feel from our competitors is who we hire and what we look for in our candidates. We want people that have focused experience in IT and security and or security.
And and we look for people that have typically sat in the chair of our customers. We want them to come up with relatable solutions because you're looking to balance your overall security goals and company goals with a regulatory compliance standard. We understand that can be difficult. We wanna make sure that people have that, sort of empathy, right, to to understand the position that you're in to come with creative solutions to meet the requirements that you guys all face. So those are the kind of people we hire. They they have that QSA experience typically with IT and, security.
And then our overall company culture. We we don't really shy away from this, but we're not check the box type assessors.
We're looking to provide you with, real life value in security and leave you better than we than when you first came to us. We wanna make sure that we're improving your security posture.
And we'll talk a little bit about how we do that. Jen Stone, you see right there in the middle, she's always a spotlight. She's the one that's on our, most of our webinars. She has a podcast.
She does a lot of the speaking at the shows and and conferences that we go to. So probably more of a familiar face. And then Matt Hovlai was just, you know, another one of our technical geniuses and helping us stay ahead of the curve. He's a QSA, PA QSA, PDP QSA, and also heads up a lot of our HITRUST assessments, and just have a lot of experience, right, in in, security and compliance.
So security metrics is determined to make your PCI experience as simple as possible by prioritizing clear communications and meeting your deadlines.
These are two things that we that we really try to balance in our approach to your assessment. We try to balance simplicity and security.
Those things those two things don't often go hand in hand. Being secure takes a lot of work, but we wanna make it as as simple as possible.
Those are our two main goals. Right? Is to help you achieve compliance, improve your security. And we simplify this through a project management tool that we that's called SureLink.
And we use these tools to provide clear communication and to give you a high touch assessment, in terms of our activity and how involved we are as your QSA.
But, really, what it does is it just streamlines the overall communication.
This this tool has been a huge selling point for us. It's a place where you can, store all or store all of your evidence and communication, make assignments. You can clearly see at any point in time throughout your assessment where you are and what needs to be done. Comes with a lot of reporting features as well that you can use to report to someone maybe, higher up that's not involved in the assessment but wants to know what's going on, and understand, you know, what's needed or what's left there to, complete the assessment, deliver on timelines.
Right? There's reporting features that you can help you communicate up as well. It really just gives you the ability to not drop the ball. You know?
Everyone sees the same thing, and you can give people access to that to make sure that, you're you're hitting your deadlines, assignments are being completed, and everything's clearly communicated.
So as we jump into this, you know, how Security Metrics helps prepares its customers for a successful version four audit, I think it's important that we first understand why PCI is making this change. And so they they published four main reasons that I'll read and I'll kinda add my commentary to it. But the first one was to ensure that the standard continues to meet the security needs of payment industry. This one is huge.
I mean, every everyone knows that cybersecurity evolves so fast.
It's always a little bit behind where the malicious actors are. Right? We're trying to keep up with them. They're definitely not trying to keep up with the standard.
So it's evolving very fast, but it's not as easy to evolve within a regulatory compliance framework. Right? We don't want changes there because it makes our lives more difficult. So changes come a little bit slower to the industry. But this is a huge jump trying to cover that gap with four dot o. Just being more relatable to the security concerns that we're seeing today and addressing those those concerns to keep people more secure.
So that that's a really big improvement there that we that we'd like to see. Promote security is a continuous process is the second reason.
PCI is, for a long time, been viewed as very much point in time. And while your assessment is and probably always will be a very much point in time activity, The requirements in there aren't. We've had requirements like vulnerability scanning. Right? You have to do that once a quarter, and you have to be able to show your assessor that you've done that once a quarter and you've had a passing status. There's more requirements like that in four point o to show and validate to a continuous effort to be secure throughout the year rather than just preparing to pass an assessment and then moving on. Right?
And then three and four kinda go hand in hand for me. Enhanced validation methods and procedures is number three. And then number four, add flexibility and support of additional methodologies to achieve security.
These are really big changes too.
Just like we said that the, cybersecurity industry changes, so do the so do the tools that customers are using.
PCI has been focused on more hardware and physical tools while the industry's been, migrating to the cloud really quickly. You know, I'd say that's a majority of our customers now are migrating over to the cloud. And so keeping up with those kind of technologies and, how they relate to the PCI standards. So if you're meeting a requirement more in the in the spirit of the requirement, not necessarily exactly like letter of the law and and and exactly how it's word, but you have the technology to support the the, intent of the requirement. Like, let's leave that flexibility up to your QSA to you as a company to provide those reasons as to why that meets the requirement even though it's not exactly how it's defined. So some good flexibility there which will help us, as a QSA, provide customers more options and how they're, how they prefer, right, to implement security that goes more hand in hand with business decisions and operating as a business day to day.
So we're excited about that change too.
And so I'm I'm gonna turn some time over to Brian. I've been I've been talking a little bit too much myself, but we're gonna be going into now our our audit process and how we help our customers.
Doing great, Jason.
Yeah. So I thought it would be helpful, informative for you guys to kinda follow through the process of what it looks like to to work with security metrics if you wanted to, you know, go through a four dot o, gap assessment or through a full four dot o assessment.
So let's talk about, the different steps and what it looks like on from our end. So we start out with what we call the, pre engagement. And and, basically, what this is is where we want to have we want to get to know your environment and understand, you know, how you interact with card data. Some of the things we're gonna look at are, like, number of, physical locations that can impact the security of of credit card information.
We're gonna look at the different card flows you have. We'll look at, are you hosted in the cloud, or do you have an on prem, data center? We're gonna talk about how many employees you have and which employee which groups interact with Cardano and which ones don't. Right?
We really wanna get a good understanding of what your scope looks like so we can give you an accurate, proposal and and pricing for this.
Mhmm.
During the pre engagement, that's when we take care of contracts. We have a statement of work, master service agreement, and then a proposal that explains, the description of the services along with the pricing.
One thing I'll add to that too, Brian, is I think a big a big part of this portion of the engagement or just the presale activities, right, is really understanding your business. I think understanding who you are gives us a lot of information as to how we'll approach your assessment and, you know, what industry you're in. Obviously, if we're dealing with a service provider that's everyone's working remote, everything's is hosted in the cloud, it's very different than if we're talking to a university that has several different business units that all handle card data differently and different functions, that might have multiple deliverables.
You know, understanding who you are as a company is a is a huge part of how we, define the scope and and build out a proposal and how we're gonna, tailor a service to meet your needs as a company.
You're right. It's definitely not one size fits all, and I think that's where we pride ourselves in in, you know, understanding your environment and making sure we get you what you're looking for, and and it's it's accurate from the beginning. So that's great.
Yep.
So once we get through that initial stage and then we get to our what we call our initial audit review, this is where, you'll you'll begin working with your QSA. Right? You'll begin demonstrating evidence and and reviewing policies and procedures, card flows, network diagrams, things like that. So the QSA can begin reviewing your environment to see if you have any gaps, any things you need to implement or have in place in order to meet your PCI compliance.
Really, this is where the bulk of the work takes place.
This is where, you know, we wanna see everything in place. We want you to feel confident, and then we want our QSA to feel confident that you have everything in place to pass the assessment. So this is where, you know, we we begin the interviews. Typically, this is done remotely.
We have an awesome tool we call it's called SureLink. It's our product project management tool. We went to it about six or seven years ago. We switched over to this new, tool that we use, and and both our clients and our auditors were just rave about how much better, visibility and communication it allows.
Basically, for for with SureLink, you can see all the requirements that are applicable to your specific environment. You can see which ones you need to submit evidence for, whether it be a policy, a screenshot.
You can submit those to to your QSA. You can see which ones they accepted. If they didn't accept some of that evidence, then they'll tell you why. You know, you'd add this paragraph into this policy, and then then it'll be sufficient, things like that.
So this is, as I've mentioned, where where the heavy lifting takes place.
And, really, the QSA will help you understand who needs to be involved.
When they do the assessment, they'll say, you know, here's the teams we need to talk to.
If it's a large company, we work with multiple teams. Some small service providers, you know, we're only working with one or two people, but we really lay out the project at this point so that you have a good understanding of what's gonna be required as far as manpower and time commitments on your end and and time frame as far as what the overall process is gonna look like.
Yeah. Yeah. And and essentially, they're saying, you know, here's where you are today, and here's where we need to get to, and all the items in between.
The one nice thing about being so involved in in PCI and, you know, being on on on the SIGs and as, involved as the standard, involved as the standard evolves, is we've taken the whole standard and we boiled it down to about forty requirements to make it much more manageable as a company. And and there are some things you might provide one piece of evidence that works for multiple requirements. Right? So we're looking that we're looking for every customer to fit into this box of forty requirements to at least meet those requirements before we, schedule, like, an on-site visit, before we come out and actually start checking the boxes.
And so we we really wanna feel confident that you're gonna be prepared and have a successful engagement.
Not many of our customers, it's very, very few. I can't remember the last time it's happened where customers don't pass their assessment. As long as we put in the work upfront, you're gonna have a successful engagement. And, I mean, there are times too, you know, when the QSA comes on-site and he's like, I didn't know about this environment. Right? But it's it's very, very rare that those things happen. So, we work with you here to make sure that, you know, when we get on-site, you're gonna pass.
And this initial auto review process, I think, is one of the main reasons we have such a high renewal rate. Our clients come back to us year after year. That's because we're upfront. We prepare them well. Then as Jason mentioned, they have a favorable assessment where they can get a passing report. And I think that's one of the major reasons that we've really refined this initial auto review process.
Yeah. And maybe one thing to note too is we also retain all the work that was done this like, in the current year or the previous year. So when it comes time to review, you have all that data again, and a lot of it is just updating evidence. Right?
So we we try to make that as simple as possible, and all the evidence is mapped directly back to the requirement. So it's very clear in seeing what you've done and what still needs to be done. So as you're as you're working through to a PCI four auto assessment, it's gonna be very clear on what changes those are or what changes need to be made and and updates need to be made. Sure.
So once as I mentioned, once you feel confident, we feel confident, you have everything in place, that's when we schedule the assessment.
If you have a physical environment, the PCI states that it needs to be an on-site visit to validate your compliance.
A lot of our clients are are one to three day on-site visit depending on the complexities in their environment.
We do have larger customers or customers with multiple, physical locations that require more days.
But on average, the majority fit in that one to three bucket of of days of the assessment.
Mhmm. What we're gonna be doing here during this phase is we're gonna be verifying that things are in place that we reviewed, in the initial auto review. So we wanna make sure, you know, actually we we know employees were trained. We saw the training documentation.
We wanna talk to a couple employees, make sure that they are aware of of the importance of keeping credit card data secure. We wanna make sure your firewall rules are implemented as they were documented. We'll review that. There'll be quite a bit of some shoulder surfing where we, you know, watch you run through the systems, make sure that your policies and your documentation are accurate.
We'll be interviewing some key personnel, that they're involved with the credit cards. We're we're we'll look at physical security if you have a physical data center. If you're in the cloud, you know, you can use the AOC of AWS or Azure to cover some of those requirements.
But this is this is typically when we do a good job in the initial auto review, we can keep the assessment to a very concise period of time where it is validating that things are in place as documented and that that you are meeting the requirements for the PCI standard.
Yeah. Most of our sales calls now I mean, we we just passed April first, which means we're within the year mark of having to comply to PCI version four.
And so every sales call we have, we talk to our customers about what they're doing to prepare for, the four auto standard today.
And a lot of we get a lot of different answers there in in what companies are doing. Some some companies wanna go right for a version four assessment now.
They they feel like they're prepared and they understand it. They've read the standard. They they can get to it.
And and others are a little bit more timid and tentative in their approach. And so what we're doing for those customers is we're tacking on another day to the on-site just to do a, a Ford auto gap and say, here's what the difference would have been had we had done a Ford auto assessment this year. It's still good for a year. Right? You don't have to validate again for another year. But with that said, you still need to be complying to the the to the four auto requirements.
So when the QSA comes to do the the next year's renewal against that four auto standard, they're gonna be looking to see if you've been doing those continual ongoing requirements that that are required. I think there's there's nothing more painful, right, Brian, when we, have a QSA come back and say, this customer wasn't doing their vulnerability scanning. We don't have passing scans to show for all four quarters. And we're like, what do we do? Right? Those are some of the obstacles that we face when people haven't been looking at PCI as an annual, work effort rather just more point in time. And now that we're introducing more requirements like that, in section six and in section eleven, you know, we we need to make sure that when four data comes around, even though your certification is good for a year, they are starting to comply with those requirements.
So doing a four auto gap at a minimum. Right? We we have out every customer at least do a four auto gap or the four auto assessment now that we're within the year mark.
But doing that gap at least will help you understand and prepare for what needs to happen April first twenty twenty four. And then again, right, when the when the later data requirements come out in twenty twenty five. So starting now, it's gonna be a much, better, I guess, time much matter, time better spent than if you're just gonna try to do it the day before four auto launches. Right?
And the effort to do a gap, as Jason mentioned, is pretty minimal. So if you just wanna tack the gap onto your three dot two dot one assessment, it's it's really the the pound of prevention is is well worth, you know, the remediation for the facts. So, yeah, we highly recommend that. It's only a handful of hours additional to to help prepare you so you have everything in place and can pass your your next four dot o audit that's coming up without any issues.
Yep. Calm the nerves a bit. And something that's interesting too, we just did a account of the four auto requirements, and they're actually less than what's in three dot two dot one. So we keep talking about sixty four new requirements, but we're not they're not tacking on sixty four requirements to the old standard.
Right? It's it's actually less than than what it was. I don't know by how many, but, so it's not gonna be a a ton more work from that perspective. They're just new requirements.
So the first year is always the hardest. If you think about the first year you came and you try to validate to whatever standard you came in at, much harder than than it was year two because you just weren't prepped. So everyone's going through that prep phase again, which is just adapting to new requirements. So get through it the first time, second year, it's gonna be a lot easier.
Promise.
Sure.
So once we finish up with with the assessment, we'll come back to our to our office. We'll begin drafting your report on compliance or completing the self assessment questionnaire depending on what level you're attesting to. We typically have you a draft of that report within about a month of of of the on-site assessment.
If we did find any loose ends that still need to be tied up, you have that time to provide evidence, type any loose ends that that were found.
And then really, we want to make sure we have the entire engagement wrapped up approximately sixty days from the assessment. Since it's a point in time assessment, the PCI council doesn't want reports being submitted months after. So we try to keep that, and and we're really good at that as well. One of the things we excel at is is making sure we're meeting deadlines and timelines.
We we know from the initial auto review, we know how much work there is to be done. We can kinda time that to when your deadline if you'd had a rock before and it expires in August, we know when we need to start ahead of time to make sure we complete it by that deadline as well.
And and, really, the other thing too that that we pride ourselves in, we we limit the number of assessments that our QSAs do each year. That way, they're they're available. If you have questions, concerns, if you're thinking, hey.
We we didn't meet this requirement. We're thinking about going this route or this route. You can call your QSA and say, hey. Here's the two options we've identified. Help us troubleshoot the pros and cons of each option and which one's gonna be easiest or the best or the least expensive option for us moving forward. And so we encourage our customers to reach out frequently to their QSAs.
And ultimately, the QSAs like it as well because they can foresee things and make it easier for them to attest to your PCI compliance.
So really, the the post on-site work considers a report writing, some consulting, and and we highly encourage that that takes place.
Well and and Brian sorry. I know I I know I moved on slide there. I'm I'm gonna see if a question for you that relates really well to that topic. I mean, what what are the two most major complaints that we hear as sales guys about QSA's in our industry?
Yeah. The two biggest reasons, it seems like we have customers switching over to security metrics is one, either they can't get a hold of their QSA or their QSA is not responsive.
And two is they didn't meet deadlines.
They, you know, they weren't able to to get the rock done in time or they needed to have, you know, a draft report ready by this date for the board. And so and they weren't able to do that with with their previous vendor. So that's one of the things we we have measures put in place, like limiting the number of of assessments that our QSA's do. We have some we have three points of contact at any time.
If you reach out to your QSA and they don't respond to you with that day, you can reach out either to myself or the the sales agent, and we have an account coordinator for the QSA. You can reach out to us and say, oh, yeah. They're they're flying today. They're coming home.
They should be able to reach out to you tomorrow. Or if you had a question, what is it? Maybe I can help you or I can ping them.
I can ping another QSA and see if I can get an answer for you right away. So you never you never waiting or in that frustrating phase of, hey, we're we're trying to get a hold of our QSA and we can't.
Yeah. I mean, it seems simple, but I think that's one of our biggest differentiators.
We're not out there pushing our QSA's to do forty or fifty rocks a year. We're pushing them to make sure that they have time to give you the experience you need to have a successful assessment. We've always been focused on the service side of our industry, and making sure that you have a good experience, which is a big part of our renewal rate and why we we maintain our customer base for years and years. Right? It's not often that we that we lose customers going to, other other vendors. So, I I feel like it's a it's a topic we we need to stress.
But That's that's great.
Thanks for clarifying that, Jace.
We have this nice diagram that kinda we send out with every proposal so people can see, you know, on the top, that's what, Security Metrics working on. On the bottom, that's what the customer's working on. So you can see in tandem the workflow, what it should look like. You can see the different stages that we just covered.
It really, we we've been doing this from the very beginning. As we mentioned, seventeen years, we've been a QSA. No one's been a QSA longer than SecurityMetrics. We've been in that first group, and so we really have a refined process, for for validating PCI compliance for our partners and clients.
You know, another another key point, you know, I kinda hit on this already that ongoing support is big with security metrics in between assessments. Let's say, you know, we finish your assessment in April and and you don't have to validate again or or better better better scenario here. Let's say we finished your report back in January. You still have a full year before four dot o kicks into place.
But let's say, hey. You understand you're an ecommerce, merchant. You saw this new requirement for ecoms that they have to monitor their checkout page. You don't you're not really familiar with that technology or what that entails.
We encourage you reach out to your QSA. Say, hey. You know, I I saw this new requirement. We're an ecommerce merchant.
We really want to, ensure that even though we're validating in January, we know by April first, we need to have this in place. Can you help us understand so we can prepare, we can put budgets in place if we need to, you know, get new technology in place?
We want we want we want and encourage you to reach out to your QSAs.
Yeah. And it better helps answer the question of how does it apply to me. Standard is very vague or not very vague, but very general on who it applies to. It applies to everybody.
The card brands have a huge task of creating one framework that applies to every process out there. You know, you see in, like, HIPAA, for example, it's very focused on health care. Well, it is focused on health care. That's what they that's what they do.
PCI is focused on every business that handles credit card data. And I, you know, won't be soon or won't be too far off that there isn't a company out there that isn't handling a credit card number. Right? Placed to almost every business out there.
And so, getting that answer to that question of how this applies to me rather than just reading a requirement that's gonna apply to everybody, We feel it's much more effective enough for another way that we're just helping our clients prepare for four dot o and really any changes. You make a change throughout the year, it's a lot easier for QSA to say, hey, here's things that you might wanna watch out for. It's gonna simplify your assessment next year, or here's what I'm gonna look for next year, so you can prepare it now rather than getting to the assessment and be like, oh, I wish you would have talked to me about this.
We don't wanna run into those scenarios. And if it's a big work effort effort, right, we can we can do a separate consulting engagement, to just prioritize those items and focus on what changes you're making. We can do those things. But our QSA's will pick up the phone.
They'll respond to emails.
They they wanna be involved. So we we provide that ongoing support to our partners. So this slide, you know, I, one of the largest areas of impact that we're seeing with the change to four dot o comes in a few areas. The first one being scoping.
There's a new scoping kinda exercise requirements in the standard. Brian and I and the sales team, we try to do the best we can to get a rough outline of what your CVE is, your card data environment, understanding your flows. But it's possible that we miss something. We're just relying on the information that's provided by the customer and then the QS we hand off to the QSA.
Now the QSA is gonna be involved in more of a scoping exercise to ensure that we're not missing pieces there.
That like, I I gave a scenario when they come out on-site and, like, oh, I didn't know you had a restaurant. You know, you're taking cars there. Like, I didn't know you had a bookstore.
Those elements that might be missing, we don't wanna have that. Or and and the council doesn't wanna have that either. It doesn't help set you up for successful engagement. So there's there's now more of a a prescriptive approach to, scoping your environment and what's gonna be involved in your assessment.
And there's the whole idea of I remember when three dot o came out and there there was like the connected two systems. And now this new verbiage of not just handle process and store, but how do you affect affect the security of credit card data? We're thinking, man, this is gonna bring in the whole Internet at some point. Right?
Because there's some threat out there that I'm not considering. Well, now there's more of a prescriptive scoping exercise, that you'll go through with with your with your QSA.
Obviously, a big focus on the protection of, cardholder data. That's what CHD stands for and the transmission of that data. Then there's anti phishing and social engineering.
These two services or products that most companies have, it's it's very common, tools that people use as it relates to security and their security efforts, but it hasn't been a requirement necessarily for PCI.
And so adapting that over to now the environments that we're trying to harden, right, that are handling credit card data and those that are affecting security credit card data with anti phishing social engineering is a big component and probably a big switch for some people because you're now relying on a third party. You can do some of this internally too, but relying on, for most of us, a third party to provide those services. So anytime you're working with third parties, it adds another layer and depth and, complexity, which is overall time, because you're having to coordinate with another company. Then there's the idea of risk assessments.
So before in three dot two dot one, when you made a major change, you might have had to do more penetration testing on that change, some vulnerability scanning, and there were some testing requirements.
Now there's gonna be a formal risk assessment that needs to be done. So this has been a big area of focus for our company is you just training and saying, here's what you need to be doing when you perform a formal risk assessment.
Here's the items that you need to look for and here's actually how it's gonna, be required in PCI version four.
But risk assessments, it's gonna add more complexity to the assessment and pre done your assessment. But we see this being a very valuable, requirement, just an overall security so that there's not a change after the assessment's done that leads to a breach. Right? Not thinking through some of the components.
You know, you allow someone access to the firewall, but then you never actually close down that access, and that access is now open to a malicious actor. Obviously, we don't want those things to happen.
And then I talked about this too with authentication and cloud considerations.
Those are some two major changes as well in in technologies. I mean, those that are using Amazon, it's it's becoming very complex. Right? And the services and packages platforms that you can use in AWS.
And so understanding and considering those technologies and tools and environments, you know, containers and e c two instances, all of those things and how they impact your security. I remember I would dread the day when a customer would call me and they said, hey, I need to scope a pen test. And I'm curious how to do segmentation checks inside Amazon, like, between containers. Like, what do I do there?
I'm like, I don't know. You know, I'd I'd had to I had to pull in our, our director of the pen test team every time. Because, luckily, he builds websites on the side and he gets that. He's in AWS, so he understands it.
And he'd have to guide those conversations because it was so kinda gray for a while there, touch touch and go. But starting considering a lot of more of those components in in your environments as they exist in in the cloud, is is gonna be a really good change and a needed change there. So focusing more, how we help you address PCI version four requirements.
This is another unique part of our business that I think has separated us from the competition or or made us unique in the industry.
As a company, we've always been focused on solving big problems and issues.
You know, we've been seeing since we're we're a PFI, we're a PCI, forensic investigator.
We see how companies are being compromised, and we see how card data is being stolen. And for a while now, we've been having, merchants and companies out there that have very simplified PCI requirements, but they're still being compromised.
Right? So it's like, where where is the gap there? And why aren't we covering that? One of the tools that we decided to, create, and this was about three years ago, maybe more, you know, before PCI version four was kind of in our in our sites. We we started creating the tool to solve the problem in the industry of of compromised payment pages. And and payment pages and how they, you know, interact with the browser.
It was really cool that we we built and patented a tool when PCI four dot o, you know, those conversations started, happening and the brand the standard came out and was published to say, now you need and I'll just read it to you. A change in tamper detection mechanism deployed as followed to alert personnel to unauthorized modifications, right, in your browser, to the HTTP headers and the contents of payment pages as received by the customer browser. And so we've been seeing that the back end code in the browser was being changed and scraping card data. Even if companies were using iframes, they were able to scrape the card data, and the card data still went to the bank. The transaction went through. Nobody knew any different. And, unfortunately, customers were learning that they were compromised six months to a year later.
They didn't know what was going on. And so the forensics team and and one of the members specifically on the forensics team developed a tool to monitor and track changes that are made to the payment page and specifically the code on the payment page, and how it interacts with the browser.
You know, there are a lot of different browsers out there and a lot of companies have, you know, banner ads. They have all these third party libraries that are interacting with their website and their their payment page.
But that code isn't monitored. It's not secured. It's not often reviewed. And to be honest, if you were reviewing it, it's very difficult.
You know, since we come out with the tool, I've looked at a few pages and just the code that exists behind the page. I can't read that. It's just a huge it's all jumbled together. Right? And I I don't really understand what's going on there. And I'm not super technical, but I have to imagine it's difficult when you have five hundred lines of code to find which one's malicious.
Right?
We saw that as a problem years ago. So we developed a tool, and the tool itself is called shopping cart monitor, and it specifically applies to section eleven six dot one and this requirement.
So we have a tool and that's that's what's been unique is we're just solving that problem and then it's now part of the requirement.
Our top we start and this was a unique experience too. What what is a payment page? We started talking to customers about this. And we're like, hey, you know, PCI four dot o has a requirement in their section eleven where you're required to monitor your payment page now.
And every response that we got was, we don't have a payment page. We don't have a payment page. And I would go on their their website, and I would find what I thought was their payment page. I'm like, look, you're taking credit card data right here.
How are you telling me that there's no payment page? It was just really racking our brains on this concept for a long time.
But what we found was, yeah, if you're using an iframe, technically, that payment page is outsourced to a third party. You know, you don't you don't have the payment page. So if you look in the standard and you look at SAQ a versus the the full PCI DSS, you'll see that they're phrased a little bit differently. In in SAQ a, it specifically calls out iframes.
Right? It says, if you have I think it'll call some inline frame. If you have an inline frame and not a payment page, this is still applicable, essentially.
And that's where we saw a big part of the compromises coming.
So what what is a payment page? It's a web based user interface containing one or more form elements, intended to capture account data from a a consumer to submit capture account data.
It could be a single document or an instance, a document or component displayed in the inline frame, which is what's referenced in the PCI standard. Or it could be multiple documents or components each containing one or more form elements containing multiple inline frames within nonpayment page. So there there there is that nonpayment page, portion of the standard that it was referencing right that we had a hard time getting around. But this is another question that you can ask your QSA and say, here's our setup.
And here's what we have and how we're taking credit card data from an ecommerce perspective. What are we required to do in in terms of section eleven? There's also another section in section six where you're required to actually document, the code that's on the page. You need to have some sort of baseline to say here's what's acceptable in terms of the code that's on my page.
You need to have that documented and it has to be reviewed. So section six and section eleven have those changes and we have a tool that's specifically there to help with those things.
And it's it's called shop shopping cart monitor. And so we can talk a little bit about how the tool works.
What we do very, very nonintrusive approach, doesn't require any installation at all. I think the the most complicated thing we've had to do, which isn't complicated at all, is we had to white list the service, for a company that was using, some sort of security service, right, that was blocking the the tool from performing its its functions that it needs to.
But what we do is we work with you as a customer to establish what we call the baseline. So we say, here's the code that you have today. Is this one all acceptable? So as in it's not compromised right now. I don't wanna be looking at compromised code. Is this what you should expect?
And then once we have a good established baseline, we'll use what we call, like, a synthetic user. It's a script that goes through the the payment flow, the same thing that your customer would go through, on your payment page. And it pulls the code, as it's happening at any point in time throughout the year, and it reviews it against this baseline.
Any differences or any changes from the baseline that that are, identified are flagged and are pushed to our SOC, our security operations center, to be reviewed. We don't wanna flood your inbox. Although we can if you want, we don't wanna flood flood your inbox with a bunch of alerts.
We we wanna look at those things for you and say, man, it's it's two in the morning. Do I need to wake up this customer because they're compromised right now? Obviously, you'd rather handle it than than even in the morning. Right? You wanna make sure you get to those as soon as you can. A lot of our customers today were even working with their third parties that manage their sites. If you're not technical enough to resolve the issue, we're happy to provide the information to your third party, service provider so that they can take care of the issue today as well.
But that's the big advantage of this tool is, one, the the malicious actor never knows that we're there.
And two, we're gonna catch any change that happens to that code, on on the browser level, and and identify those things. We have just a just a quick story there. We had one, customer that was compromised, and we scanned their site. We found that it had malware.
When we went in to find the malware to do something about it, we couldn't it wasn't there. We couldn't find it. We looked at it closer in the snapshot that we took, and it actually had a function to self destruct as soon as someone opened up dev tools to look at the code. I mean, that's how sophisticated they're getting.
And as soon as you stop looking for it, it went and reinstalled itself again.
If we didn't have a snapshot of that code and the and the hacker didn't know we were there, we never would have caught that. Right? They're getting so sophisticated and it's getting very complex. So the tools need to be evolving to be catching those types of breaches as well.
We we've talked about this too, the the whole risk assessment component. So I won't focus too much on this, any more than we already have. But we need to be diligent in in in reviewing the changes that are made and have a formalized risk assessment process, that identifies, like, here's what we're looking for as a part of this change to ensure that, man, we're we're buttoning things up as soon as that change is made, not the next time that you're being assessed. You don't wanna worry about it then. You wanna worry about it now as soon as the change happens.
The internal scans. This is a big change too. And you need to be looking if if you're not doing this yourself internally, you need to be looking at those vendors that now need to be, offering an an authenticated scan.
That that's a big difference. That means it's not just scanning for open ports and saying, oh, should you close this?
You know, it needs to be using some sort of, you know, credentialed access like, like a web application. Right? It needs to be doing more of an intensive scan and and reaching beyond where it ever has before. So, internal scanning, that's gonna be a big change and and once that one that needs to be prepared for. And what we've been doing for our customers, you know, we we we have solutions, but we also have, a list of, like, preferred vendors that we would recommend to you if you wanted to so you can go out and get bids from a number of companies.
And it's not something that we, you know these customers these companies don't know that we're sending you their way. We don't get any referral fees or anything like that. We've just seen they do a good job. So it's like, here's a list of three companies that you can use to offer the service that meet the requirement, and get your quotes.
There's nothing beyond that. Right? We have no ties to these companies. We just know they do a good job, and they've helped other customers in the past.
So we can provide a list of companies for you if needed.
And then, you know, overall training and and and reviewing your security awareness training, you know, that needs to be done every every twelve months.
And there's very specific details on what that needs to include. You know, these are the type of changes where it's like, it's hard first year. You know, you you gotta do a little bit more prep work to make sure that you're meeting the requirement, that you've got things dialed in. But as soon as you've done it once, the next year should come a lot easier, and it should be a little bit quicker because you've done it before.
I think that's how it is with everything. But our QSAs are here, and they're ready to help you understand what those requirements are today rather than waiting before four auto comes. Because as soon as four auto comes, they're required even if your certification hasn't, you know, lapsed yet. Even though it's good for a year, you still need to be compliant to these requirements to be compliant.
And and this slide just kinda goes over some of the products that we provide to our customers, and we've been doing for a long time. We really, we've we've added things on in terms of products that complement our services and helps simplify your experience, policies, and procedures.
They're written by our QSA's and our legal team. You don't wanna have to go out and write them yourselves or or pay for another, law firm to write them for you. Right? That can be expensive.
We have a template that comes in a a fill form type state where you're just like, here's my company name, here's the employees, and then we offer some consulting to go with them to make sure that you're actually, you know, able to accept the policy as a company that they're in a play they're in place and they're actually effective, not just a piece of paper that says there's I have them. You have to actually represent what's on the page. Right? And so we already have that made up, simplifies the audit.
We've been in ASV since longer than we've been at QSA. That was one of our original product offerings, and we've maintained that certification.
We provide internal scanning, antivirus essentials.
PanScan's a tool that we built to help with the auto process. We use it to identify any unencrypted credit card numbers.
Another funny story there, we have one company that was compromised. And we're like, do you store any credit card data, that's not encrypted? Or how do you do it? And, like, no. We don't store any data. Well, turns out we find this Excel file that's really long that has a whole bunch of credit card numbers in it that they've been using to do recurring payments.
And they're like, no. It's it's not it's not, it's not unencrypted, and they just minimize the cell. So it's less than, like, the sixteen digits, and then it kinda x them out. Right?
You know, we we've not saying that's everybody. It's more just kind of a funny story, but, you know, we find stuff like that all the time. Like, maybe someone wrote something down or put it on their on their machine. You know, we help validate that you're not storing card data that could be stolen later on. This is not encrypted.
Shopping car monitor, we've really beefed up what we can we can handle on the ecommerce security side. We have security training and then we have a world class pen test team.
You know, that that that's the one one of the benefits of PCF four point o and and the and the focus. We're trying to offer penetration testing that isn't so much focused on the twenty percent of your business that you put all of your resources to to to harden your systems. You know, we're trying to focus on the organization as a whole and what your risk is and connect to systems. You know, it's just last week that one of the analysts was able to compromise the entire company from a printer.
Nobody looked at the printer. Right? They're all focused on the CDE and hardening those tools and what you think that people would look at. It's like, no. Most things come through a pivot attack, RDP, you know, they're they're logging remotely, but compromise the whole company just from a printer that wasn't secured. Right? Those are the things that we need to be looking at.
And then why why choose security metrics? These are the conversations that Ryan has every day.
Yeah. Yeah. I I love I love having these conversations, my team and I. And and really, the number well, we we've listed a few here, but no one has more experience with PCI than security metrics. We've been in business for twenty plus years. We're in the first group of QSA's to be certified.
We're an ASV and have been for years and years.
So no one has more experience in this space than SecurityMetrics.
The other, our other ability is is the ShurLink portal that we mentioned before. Our ability to track and communicate clearly what's required, the different stages, who needs to be involved, it really makes the process smooth and as simple as possible. It's not you know, if you're doing an SAQD or a ROC, there's over three hundred requirements.
If you're doing an SAQA, there's only a couple handfuls.
But either way, it needs to be organized and communicated clearly so that, everyone understands what the responsibility is and and how much work it entails.
Then we also offer, you know, a complete audit solution. We we try to be that one stop shop as much as we can. Obviously, we don't provide a service to check every one of the twelve requirements.
But we we are, you know, a QSA a PA QSA, which is now SSF. We do p two p e. We do PIN. We have an in house pen test team.
You know, we're trying to provide services that really offer that simplicity so you don't have to go, look for a bunch of different services, especially if they're big aspect of of your assessment or things that take a long time that might delay the deliverable. You know, we we try to be that complete audit solution for you as a company. And, we we offer, you know, transparent pricing. You know, it's it's our goal as a salesperson to get a rough estimate of what this is gonna take to to do your audit, you know, correctly.
And and also, we we try to remain competitive in the space while while doing so.
And so we're we're not gonna be the cheapest company out there. I we're we're happy to admit that. We're not gonna be the most expensive either. We're typically right there around the middle or or high middle, I'd say. But bang for buck, we consider our service to be the best for the price that you pay.
You know, and and I think customers see see that as well, and they stick around a long time because of it. And then and then the other big component there is just the availability of our QSA's and how we staff them. You know, that's it's who the who the people are, how we hire, the candidates we're looking for. And then we make sure that they have time to respond to your questions to resolve those two major concerns in the industry of can't get a hold of my QSA and I'm not getting my reports on time. We don't want those concerns to be associated with security metrics, so we work hard to make sure that that happens. So we we make sure our people are available and and and give you much more of, like, a handheld experience.
And then, you know, some of the credentials that we have, and we've talked about this a bit. Right? Or p PASSSSSF, PPE, PIN, PFI, ASP, and we have pen testing team. You know, very, large depth and understanding of the PCI landscape, the methods, and and just working with every different vertical out there.
And even the people that we have, most of them have have been in your shoes or been in the customer's shoes. They've worked in retail. They've worked in the cloud. You know, they've they've worked for service providers.
We can typically find a QSA on our team that understands your business specifically, which goes a long way when you're when you're doing assessment and trying to compare.
This is our day to day business needs versus here's a rigid regulatory compliance standard that I now need to comply with. Like, where's the middle ground? We feel like we do that more effective than than any other company out there. And I guess yeah. You don't have to believe us. Right?
Yeah. You don't stick our word for it. We just wanna read a couple of testimonials, and then we'll jump right into the q and a. So those of you who've been born with us and hung on, we'll be the q and a section here quickly.
But I'd like to thank Don. Don, the SVP of merchant solutions, gave us this, good quote. He says, we've been using security metrics for on-site PCI audits for more than ten years now. We have continued to come back and return to security metrics due to the value that have been supplied by them. Security metrics have been around long enough now, and they've been one of the top providers when it comes to PCI compliance. That I know they're in it for the long haul.
So thanks, Don, for that little quote.
So we have Don with with with NewTek as one perspective and then, you know, the the service provider perspective with with Charles here.
We were impressed with every aspect of the experience. While audits are never fun, agreed, the experience was positive and educational for our entire organization.
The QSA was clearly an expert in this field and conducted the entire engagement professionally. We're quite happy to be publicly associated with a leader in the security industry. And, you know, those are very common reviews that we get.
You know, not really trying to brag. It's it's true. And the best part of our job is providing referrals and and references. And don't believe us, talk to our customers. And, we can find a customer that's in your vertical and in your business and say, go talk to them about your challenges and what we did to address those. You know, that that's our best selling tool that we have.
And as as as salespeople, it's it's the best feeling that we can just sell our company and and the work that we provided, which helps us close deals. There's it's all transparent. We're not trying to hide anything. And, honestly, we do believe that we provide the best service out there in in in the industry. So we we push that pretty hard, and we're happy to let you talk to our customers about it.
Awesome. Let's jump into some q and a here.
I think I can drop my sharing. Right, Brian?
I think you can drop your, I don't know.
But we can we can we can read some questions off to you. We're we're gonna someone asked if you could show the do a quick demo or show the SureLink tool that we talked about. We do have a recorded demo, that I'll send you guys on our website. We'll send it the link.
If we we can't pull it up here in the chat here shortly, we'll send it in the recording link as well. Feel free to reach out. We can give you a live demo as well. But the recorded demo, I send it out all the time.
It it's very helpful and kinda walks you through what that looks like. Another question is who needs to receive a PCI audit? Specifically, if you're not a level one merchant, do we recommend Security Metrics QSA services?
So I I get this question all the time as we're talking to clients, And, the answer is you're not required to to use a a QSA or a third party validation firm if you don't meet the, you know, level one service provider or level one, level two merchant.
But where I do recommend it is if if you don't have anybody that is familiar with PCI, if you need help understanding how the requirements apply to your specific environment, we can do something as simple as a a handful of hours of consulting to walk through specific questions.
Or sometimes I've had I've had clients that reach out and say, hey. We'd really like to see how it's done right. We wanna do it with you this first year. We probably won't exceed the the million transaction mark for two or three more years.
We won't use you the next couple years. We'll do it ourselves, but we really wanna see how a QSA firm validates compliance, and we'll kinda follow that template. So those are the if if you're not required to use a QSA, those are the instances where I recommend it. And and, really, most companies out there don't have a PCI expert.
It's cheaper to have a hand to to pay for a few consulting hours than it is to hire somebody that's got enough technical knowledge and PCI compliance experience. So it's definitely you can you can definitely use our service, and I highly recommend them. It's not expensive to just get consulting. Or if you want us to hand hold you through an assessment year one so you guys feel confident moving forward in subsequent years, that's when I highly recommend that.
Jason, did you have any insight there as well?
Yeah. Typically, what I say to that I mean, Brian's right. We do get that question all the time. I think it's a great position to be in where you're not required to have a very detailed deliverable.
You you have your options. So I always respond with, how involved do you want us to be? Not every company is the same in terms of even just resources that they have available to tackle a project like this. So it's like, how involved do you need us to be?
And we have a product that really should fit any involvement level that that you decide on. Right? From from consulting to a gap. We even go as far as doing what we call, like, a QSA signed SAQ.
So if you can still do an SAQ, we'll walk through that SAQ with you and even sign it, for you where we're not taking, you know, forty five to sixty hours to write you a small book called a report on compliance. You know, you can still do an FAQ. So we're we're happy to do those as well. And then to be honest, I I wish this weren't true, but Brian and I can't charge for our time. So if you have questions and you're not a customer and we don't know the answer, we'll go talk to a QSA for you. You know? And we'll we'll get you an answer and come back and and give it to you.
Obviously, that only works for for so many things, but we're happy to. And if that's all the involvement you need, great. Give us a call. Happy to help there too.
Yeah. Quick shout out to our marketing team. They posted up that link for the SureLink demo. Like I said, a three or four minute demo will give you the gist of it, but, if you want a live demo, don't hesitate to reach out.
Mhmm.
The next question here is how does shopping cart monitor handle a requirement for the consumer to be logged in to reach the payment page? That's a good question. Jace, do you know I know we can do authenticated testing. Can you elaborate on this?
So part of our process when we go through setting up the tool with you as a customer is we look at, the needed authentication to actually reach the payment page. I mean, we can even handle getting through, I can't I can't remember what they're called. Right? But it's like, check this box.
Yeah. The CAPTCHA. Right? We can even handle those as well. And and it just comes down to the script that we write, and we can write a script per payment flow that you have on the page.
And so every time that script should be getting through exactly as a user on the page. That's why we call it a synthetic user. But it just comes down to writing the the script to make sure that it's authenticating properly, and accessing the actual paying page to complete the flow. And one thing I'll add to that too is we don't actually record any purchases.
It it it, stops the recording as soon as right. It gets that point of, like, I need to actually make a purchase. So we don't go through and make all these purchases on your site. It stops before that happens.
Another really common question that I hear all the time is when do I need to comply with PCI four dot o requirements? Should we just wait until twenty twenty five when it's required?
Jace, I like the way you you format this one, and you kinda you hit on it in the presentation, but you kinda can you kinda reiterate the the importance of not waiting and why you shouldn't wait?
Yeah. And and the reason why I like this question was because I I had a big learning experience for me just two weeks ago when another customer asked the same question. And so we went to the QSA's and we're like, hey. Like, they can validate now, and their certification is good for a year.
Do they wait? And his answer was no. You don't necessarily need to do your audit again. But as soon as April first twenty twenty three comes and or twenty twenty four, and then there's the extended, requirements of twenty twenty five, the future dated ones, you need to be compliant with all of those whether you're doing an assessment or not.
And so when the QSA comes out, if you have to do an audit, if the QSA comes out, he's gonna wanna see that you've been meeting those requirements from that point in time, especially if they're the ones that's like prove that you've been doing this quarterly. Right? Prove that you've been doing a risk assessment for major changes. They're gonna wanna see that you've been doing those things, not just point in time, but since the requirements have been, required of April first twenty twenty four.
So no. Don't wait. That's why starting now is a great time because you can just do a gap and outline what those are for your business, like, what those specifics are and start addressing them today and building a plan. And you can you can grow into them before April first comes around next year.
So the sooner, the better. Obviously, that you that you can start, We have we have a wide range of companies that come to us and, like, there's a common phrase that we use. It's not important until it's important, and then it's really important. Right? Like, we gotta get it done now. So don't don't wait. Start now before it gets to that point, and you have to run around here on fire.
And it can just, you know, ease the anxiety of, like, what's actually required? Is this an easy effort or is this a really difficult effort? It's gonna be different for everybody.
Yeah. And I I think that's, you know, the key is is under start now to understand what's gonna be required because some of those requirements need to be put in place and you need to demonstrate that they're functioning. So if you wait till twenty twenty five, you have an assessment and you can't demonstrate those things, you're not gonna be able to get a a compliance a compliant SAQ or rock until those can be demonstrated. So make sure you're familiar with them. Make sure you find out which ones you need to show are in place, and you'd have to have a history of them being in place. And we're happy to walk through those if you wanna give us a call as well. Another question here is do you have any other tips or resources to to successfully transfer over to PCI four dot o?
We have a ton of resources on our website.
We did a webinar, earlier that we kinda sat down with with one of our QSAs. It was more kind of the technical version of what Jason and I just gave today.
You can find that on the website. We also have some white papers and stuff that we've put out with, here's the major I I think they have a link here for the sixty four changes in the chat there.
We have if you go to that website, go to that link, there's a bunch of references in that section that gives you tips and insights how to prepare to make that transition.
And every year, we publish what's called our PCI guide, and it's written by our audit team. And the most recently published one has exactly that in it.
And it's straight from the perspective of the QSA and what they're seeing right now with their customers. So that's gonna be a a really valuable resource. We have a digital copy that you can get off our website, or we'd be happy to send you a physical copy that you can just have on your desk and you can flip through. And I remember when, he used to have one on his desk that he would reference in his sales calls.
You know, it it just it just helps because those are the common questions that people are asking. And and so you don't need to ask us or wait. Right? You can just download that guide or we'd be happy to send you a physical copy.
So I know we're over time here. So we'll we'll wrap up with one more questions. Like I said before, if we didn't get to your question, we'll we'll get back to you via email.
So let's see.
Yeah. I gotta pick a good one. Right?
I know.
Well, this is a common one I get all the time. From start to finish, how long does a PCI audit usually take?
This varies widely between customers. We have customers that come to us that have been doing PCI for a decade. They have their t's crossed and their i's dotted, and it happens very quickly. We also have customers that come that it's their first time doing a PCI assessment, and it takes them much longer. They find out they have to have a new technology to implement. They have to get budget for that. What I what I tell customers is on average, it's a four to seven month process for the average customer.
The fastest I've seen it done, we've had customers get through it in thirty days. I've also seen customers take more than a year. It really depends on when you come to us, how prepared are you already. Now we can typically work at your pace. If you can work through it quickly and have the resources to, you know, meet weekly or a couple times a week, we can get through through things very quickly.
But, hopefully, that gives you a good range of what you should plan if you if you haven't done it in the past.
Yeah. And I just say, you know, sometimes you're working with one person that wears a million hats, and sometimes we're working with a team of people. So it really does vary.
But I would say one of the biggest components of whether you finish quickly or not is just how motivated you are and how big of an initiative it is as a as a company, how seriously you take it. It's not typically you waiting on the QSA. It's typically the QSA waiting on the the the merchant, right, or the company we're working with to give them what they need to review. I mean, their their timeline is pretty static. So, yeah, I'd say that four to six month rule is probably a pretty good one. If if you're doing it for the first time, maybe closer to a year, depending on your resources you have available to tackle the project.
Awesome. Well, I'd like to thank everybody for joining us today. Look for that recorded demo coming out. It'll also have Jason and I emails on there if you wanna reach out, schedule a a scoping call, or have any questions specifically. As Jason mentioned, we don't charge for our time. But we really appreciate you joining us today and, look forward to hopefully talking to you soon.
.svg)
