Compliance in an Agile WorldKim Sutch

Product Director - PaymentKimberly.sutch@target.com

1

Discussion Topics

�Why is this important? (In a Land before Agile)�Overview of Payment and Compliance/Security/Mandates�The Players/Partnerships/Collaboration�Aligning Objectives�Execution�Oversight and Communication

2

History Lesson

�Before moving to the agile model, these things were taken up and done by teams, as needed.

�Project Prioritization and Funding was in a different model and provided resources, as needed, to isolate them from compliance work.

� Immediately post transition we were in whack-a-mole�Formulated a strategy on approach and how to simplify the

request and the efforts

3

Overview of the Payment Product

4

In Store Payment Online Payment

Settlement and Reconciliation

Proprietary Tenders

Major Network Cards

Target Giftcards

Government Tenders Checks Electronic

Tenders

Returns Information Giftcard IssuanceOpen Loop and

General Purpose Cards

Mandates, Security, Compliance�Major Credit Card Networks Mandate

�Twice Yearly�Complete them or be fined or pay more per transaction

�Security�Payment Card Industry Data Security Standard (PCI)� Internal Requirements

�Compliance�Sarbanes Oxley (SOX)� Internal Audit Remediation�Gramm-Leach-Bliley Act (GLBA)

5

Aligning Objectives

6

Objectives and Key Results

Payment Product Execution

7

Company ProcessesCompany StrategyBusiness Quarterly Business ReviewTechnology Business ReviewPCI AuditSOX AuditGLBA Audit

Feature Input TeamsArchitectureBusiness VendorsOther Product TeamsGuestsInfrastructureSecurityCompliance

Product TeamsOKR’s/ValuePrioritizationDiscoveryFeature/Story DefinitionScope ManagementData/MetricsStory Boarding

ExecutionQuarterly/Sprint PlanningScrum/KanbanFeature/Story SizingDependency ManagementContinuous PlanningContinuous Improvement/Learning

Engineering TeamsDev + OpsAutomated TestingBDD/TDDTechnical RunwayTelemetryPair ProgrammingCode ReviewsCI/CDQA Engineer (E2E)Support

Transparency Alignment Built-in Quality

Deliberate Collaboration

8

Every other week Status

Every other week Status

Status As Needed

Every other week Status

Every other week Status

Every other week Status

Meeting Stakeholder Needs

Questions to Ponder for Prioritization

� When is the compliance requirement due?� What happens if we don’t do it?� Is there other value associated to this change?� Is it more important than our current business value deliverables?� Can we ask for an extension?� Are others able to comply or will the requirement move out?� Can we ask to do it differently?

9

Success Metrics

� Improved accuracy on meeting compliance obligations�Better knowledge and insight into the asks, and why�Alignment on timing and objectives

10

Oversight and Leader Communication

�Weekly Product Leadership Meetings�Weekly InfoSec Meeting�Continuous planning of compliance stories �Published Objectives and Progress�Published Roadmap

11

What’s Next

�System alignment and integration for updates on asks�Continuing to have more planning around compliance,

mandates, security�Explore automation to make these updates faster and

easier

12

Q and A

13