[twright0]

> Successful startups all, and I mean ALL, have serious compliance issues.

This feels like a very hyperbolic claim. There are definitely high-profile examples of startups that had compliance issues and are struggling to bring them under control or remain in arguably grey areas (Zenefits is an example of the former, Airbnb the latter). But it's hard to imagine that it's a truly universal problem; many startups are in industries without heavy regulatory rules. Can you elaborate on what makes you believe this to be the case?

[sandworm101]

A successful startup is one that has grown rapidly in recent years. No growth = not successful, and not recent = not a startup. Any tech company that grows quickly starts bumping up against any number of compliance issues, both legal (ie HIPAA) and private (ie PCI). Today's growth curves don't keep pace with many of these regulations. As you expand laterally into new markets you constantly run into new obligations. And as you expand vertically (increased sales) you trigger new expectations, especially the PCI DSS. The chances of anything rationally called a startup having accommodated these things is astronomically low.

Ask any tech lawyer to list all the laws applicable to a startup. Bring a lunch. Until a company has devoted resources (ie a full-time compliance team including lawyers) and has a decade or so of experience with the relevant rules, imho proper compliance is a pipe dream. At best you can hope to keep the wolves away long enough to get whatever they want ready asap.

Anyone here working at a startup, just have a look at the PCI DSS, specifically the SAQ you are meant to fill out every year (if you handle credit cards). And this is basic compliance 101 stuff, no lawyers required.

https://www.pcisecuritystandards.org/documents/SAQ_D_v3_Merc...

[jbooth]

All that being said, when your frickin business is selling HR stuff, you should be on top of compliance. Jesus.

They had people selling health insurance without a license. This isn't just a failure to sit through the "don't bribe foreign officials" training.

[nostrademons]

Isn't that why many companies are using Stripe and similar payment processors now?

https://support.stripe.com/questions/do-i-need-to-be-pci-com...

[sandworm101]

>> "Just go to your security settings and click on “View completed document”. We have pre-filled the documents for you."

Services like these are part of the problem. They can verify that the service they provide is compliant, but nobody can determine remotely whether or not you are compliant with something like PCI. You cannot outsource compliance. It is something you have to actually do.

And fyi these "iframe" services that allows a merchant to opt for SAQ-EP rather than the longer SAQ-D, that might be going away in the next couple years. Merchants may have to go with a full redirect, not a frame, if they want to wash their hands of chd.

[Outdoorsman]

Agreed... A very astute comment...

Things move quickly...and that's an understatement...

There is a fever that descends upon a team on the brink of hitting a "home run"...the push is incredible..

Do what needs to be done NOW, we'll clean up afterwards...so difficult to resist...

[delazeur]

I imagine just about every company, startup or not, has compliance issues; it's just a matter of degree. (Then again, I am an environmental compliance consultant, so there's some selection bias in which companies I interact with.)

The qualifiers in "successful startup" and "serious compliance issues" make it hard to say whether the statement is objectively true or not, but I see two factors that probably exacerbate the problem for startups: regulations designed by established companies to thwart upstart competitors, and the "disrupt"/"move fast and break things" attitude that doesn't mesh well with red tape.