There's entire industries of experts who work on these tasks, and they don't just work for people trying to skirt the rules. I've hired people for both tasks and the reason was specifically to comply.
NIST, MS, and the security community all recommend against forcing people to change their passwords on fixed intervals. They should only be changed when there is an indication they have been compromised.
PCI requirements demand mandatory 30 day rotation intervals on user passwords for users with administrative privileges, IORC. Something like that.
They haven’t kept up. So until they change the rules you can either be PCI compliant or implement the current best practice. Not both.
Someone has to understand the codes and how they might be applied to a specific project, and direct a project such that the outcome will comply.
Codes dont provide a blueprint for a house or a bridge. They stipulate features and properties that it must have. Design resides with the firm.
Privacy isn’t complex, compliance is.
> Tax laws are also quite easy
Yet audits are still a pain.
> tax lawyers are only needed if you want to NOT pay
This is nonsense. Tax lawyers are sometimes used to skirt the law. They’re much more often there to help prove you followed it.