The Compliance Conundrum

A client of ours recently attended a session at a trade show where the speaker told the story of a company being sued because their website wasn't compliant with the Americans with Disabilities Act (ADA) Standards for Accessible Design. His concern prompted him to ask me about his own site and his company was in any legal danger. My answer was surprising and discomforting as I told him that, yes, his company may be danger. But if it was, it was for more than just ADA compliance, and more than just for his website. And it's not just his company that's in danger, it's the majority of companies. 

Including yours! 

With so many complex business rules, regulations and standards, total compliance to every one of them is nearly impossible. It's not just ADA. It's the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Can Spam, Payment Card Industry Data Security Standard (PCI DSS), and as of last week, the General Data Protection Regulation (GDPR). Additionally, websites are also subject to specific laws and regulations that cover copyright, domain names, trademark, defamation, linking, framing, and marketing practices.

However, while all these effect a company's website, the vast majority of rules and regulations don't apply to just the website. Many are only a part of any business' entire set of compliance requirements. And that's the conundrum. As a best practice marketing and technology agency, we have consistently been faced with the challenge of taking what should be a top down enterprise compliance plan and having to drive it from the bottom up.

When PCI-DSS standards were first introduced to protect customer credit card data, Trivera began to anticipate our clients' needs to make sure their websites would become compliant by talking to them about the services we knew they would require...installing SSLs, implementing encrypted storage, regularly updating Content Management Systems, ecommerce engines and server operating systems. We were astounded at how few of them even knew anything about the new standards before we mentioned them. Even clients who were already handling credit cards outside of their websites were completely unaware of PCI-DSS compliance standards. They knew nothing about the regulations and requirements that extended beyond the web site to cover employee computers, internal software systems, any employees in the enterprise with access to customer credit card info, and even any customer information stored in paper files. Of the dozens of our applicable clients, only one was proactive and had already contracted a PCI-DSS compliance firm to assure the enterprise was in total compliance. Our role in that compliance was driven, not by the marketing team, but rather the legal, financial and IT teams. They would send us copies of their quarterly audits, so we could address and fix any issue and have them added to the larger enterprise compliance list.
Unfortunately, clients like that are exception rather than the rule, not just for us, but for the market in general. Even though every major data breach to date has been found to have happened to organizations not in PCI-DSS compliance, many businesses (45% by one study*) choose to risk fines and compromised customer credit cards and remain non-compliant with PCI-DSS standards, 

It is frustrating to us as a digital agency because convincing a client's marketing people to champion the effort often results in only getting the website and digital marketing efforts in line. That expense then gets taken out of the marketing budget, leaving us less time to spend on effective marketing, leading to declining revenues and increasing doubt about our value to them as their agency.

So, to reduce the potential liability we still strive to provide common best practices for building, hosting and maintaining websites and other digital marketing tools to achieve at least a degree of compliance. The Magento ecommerce platform is created to protect customer credit card information if it is kept updated. A best practice UX design philosophy provides accessibility for people at any level of ability. But once customer credit card information is exported from Magento and stored on other computers, the entire company will fail a PCI-DSS audit. An ADA compliance scan will show additional areas of compliance that are lacking. We do what we can, but with the thousands of federal, state and local requirements for total compliance for systems, facilities, and the million other things that need to meet full requirements, our efforts still feel like we are using a band aid to cure cancer. 

Putting the responsibility for regulatory compliance on a company's marketing decision makers...and their digital agency...puts us all in a no-win position. A new attitude must prevail. Enterprise-wide compliance must be being driven from the top down, assisted by specialists with the expertise, skills and tools that will guide everyone...including your digital marketing team...to play their role in making sure your entire organization. Only then will your website be compliant and your customers all be safe and secure.

* 2017 Verizon Payment Security Report 

About Tom Snyder

Tom Snyder, founder, president and CEO of Trivera, a 22 year old strategic digital marketing firm, with offices in suburban Milwaukee.  Tom has been blogging since 1998, sharing the insight gained from helping businesses and organizations reinforce their brands by taking full advantage of digital and Web technology as powerful tactics in their marketing and communications strategy.

Photo Credit: Adobe Stock

Share this article