Payment Card Standard Should be a Major Concern for all Franchise Systems
Protecting your customers’ cardholder data and your brand image in the marketplace are paramount issues.
The Payment Card Industry Data Security Standard is a comprehensive set of requirements that apply to all merchants who accept credit cards regardless of how those transactions are accepted. The PCI DSS is written and maintained by the PCI Security Standards Council (www.pcisecuritystandards.org) which was founded by the payment brands: Visa, MasterCard, American Express, Discover and JCB. The standard defines a minimum baseline for protecting all cardholder data.
Information security has become of critical importance for all businesses, large and small, including all franchisors and their franchisees. Our businesses rely on customer trust and PCI helps us to earn and maintain this trust.
During the spring of 2012 the International Franchise Association’s IT Committee (now the Marketing and IT Committee) embarked on a project to create a document for IFA members to use as a reference tool while evaluating their risk levels and plans of action to maintain compliance for their system. Until now there has not been any specific guidance for franchise systems by any of the main governing bodies.
ost information has been directed at merchants in general, but not taking into account the nuances of the relationship between the franchisor and franchisees. IFA continues to work with the PCI Council to refine our educational tools and advise the council as to how the franchisor/franchisee relationship may be affected by rules as they are implemented. IFA’s guidance paper on PCI is available for downloading at http://bit.ly/16wWP4W.
Think of PCI compliance as a chain, and as with any chain, if any one link in that chain is not compliant then the entire chain is at risk. Think of every touch point where the credit card data touches as a link in that chain.
1. The customer hands card to your team member. Are they trained as to how to securely handle that card taking care that the number is not written down or the card is not visible to other employees or customers?
2. The team member swipes the card in the POS terminal. This is where most franchisors make a costly false assumption: “The POS companies have done everything they need to do to be POS compliant and as such my franchisee is secure.” Well, yes and no.
- It is true that most POS companies have done everything they need to do to keep their software and hardware compliant, but are 100 percent of your franchisees operating on the current version? POS companies are constantly making updates to their systems to stay current with the PCI standards. As they change, in many cases these updates cost your franchisees money. Many franchisees, due to the cost, do not install the updates since the old version seems to be working just fine. What are you doing to make sure they comply with these updates?
- Even if your software is updated in all units, if any of the other items listed in this chain are not being done, just having a compliant POS system does not make your franchisee compliant.
3. How does your POS communicate to the payment processor? If via an IP line through a router, is the POS traffic properly firewalled? The biggest threat we are seeing here is many franchisees today use remote security systems where they can view what is going on in their stores while away. Those systems require an open port in your router, which allows for open access for a hacker to potentially break in and gain access to the POS. Security systems and customer WiFi access should be either on a separate IP network or at the very least security firewalled in the router by a professional IT person.
Think of PCI compliance as a chain. If any link in that chain is not compliant, then the entire chain is at risk.
4. The Payment Processor. This should not be too much of a concern as pretty much all have done what they need to do with their systems to stay up to date.
5. Your franchisee must complete their annual PCI Self-Assessment Questionnaire and if connecting a via an IP line, perform a quarterly network scan.
As a franchisor, why should I worry about this? It’s all about what my franchisee does, right?
No, not really. Remember the “chain” I described before? If just one of your franchisees is not doing what needs to be done, your brand is at risk. Your brand has spent untold resources building its reputation. Imagine the damage to that reputation that could be done by a breach. The press loves to put nationally recognized names in their headlines – it sells papers and draws viewers. You do not want this type of press. Plus, it would not take too long for an attorney to draw a line between the franchisee who was breached and the franchisor who has set policy that a certain POS system or router network or security camera system should be used by all stores.
At a minimum, as a franchisor you should have a firm data security policy as part of either your franchise disclosure document or operations manuals that all franchisees are required to follow. In addition, you should consider getting system-wide reporting on the status of your franchisees PCI compliance on a regular basis.
If you require all of your franchisees to use the same payment processor that processor can help with this process, but if you are like many franchise systems where you may have several processors working with your franchisees, you may want to consider having a third party do all of the compliance work for your franchisees so you can have constant system-wide reporting.
If just one of your franchisees is not doing what needs to be done, your brand is at risk.
Once you have this reporting in place, you can work with those franchisees who have not completed their compliance in getting them up to speed. Plus you will have a record of training, remediation and non-compliance if one of those franchisees does get hacked.
At the end of the day, this is all about protecting your customer’s cardholder data and your brand image in the marketplace. This is no longer something that should be viewed as just a nuance that you will get to when you can. PCI data security has become an item that should be one of the top risks that your franchise system addresses for your franchisees to remain secure and profitable.
Tom Epstein, CFE, is chief executive officer of Franchise Payments Network. Find him at fransocial.franchise.org via the directory.