Evan Schuman's StorefrontBacktalk

Every franchisor organization I know is struggling with PCI compliance. There seems to be a universal debate over how involved a franchisor should be, and what legal liability an organization assumes as a result of that involvement. If the franchisor pushes off PCI responsibility (“Hey Mrs. Franchisee, PCI is your problem, not ours.”), then it runs the risk of brand reputation/image issues as the result of a breach at a franchised location due to little or no information security. On the other hand, while getting more involved with PCI compliance may reduce the brand reputation/image risk, it increases the legal liability (“I implemented the system that you told me to. If I’m in trouble, then you are too.”).

Early in the day, one of the speakers (a third-party security vendor) strongly recommended franchisors take on the ownership of their franchisees’ PCI compliance/information security. The argument was that franchisees simply do not have the knowledge and capabilities to do it on their own. Yet later in the afternoon, Visa announced it is creating a new category of service providers to cover franchisors that offer PCI-related services to their franchisees.

The brand wants to close the “loophole” it found, where franchisors were not obligated to report franchisee compliance but still provided info-sec packages to those franchisees (some of which were breached). Let me just say how excited I am about that prospect.

What kills me is that so many little changes should make such a big impact. And yet, as far as I can tell, no one is taking the time to look at any of those changes. Here are just a few items on my long wish list:

• Get rid of the confusing acronyms. PCI DSS and PA-DSS are too close and too confusing. Create “Certified Payment Solution” and “Certified Merchant” categories. Don’t allow people to claim they are PCI compliant when they are actually PA-DSS compliant. It may be easier for them, but it confuses the heck out of merchants.
• When something requires you to answer more than 200 questions that you do not know the answer to (or even know who to get the answer from), then you cannot call it a Self-Assessment questionnaire.
• Put the “Single Function Per Server” requirement in the SAQ C document. This is probably the biggest debate I have with my franchisees. You should not be using your POS server for anything other than POS/Payment applications. Because it does not appear on the SAQ C, most of my franchisees do not believe Single Function Per Server is a true requirement. Worse yet, some PCI vendors are supporting that notion.
• Too many times in Wednesday’s session, people talked about “Best Practices.” It should be known that most franchisees will not spend money on what they “should” do. They will only spend money on what they “need” to do. If it is not on the “must do” list, it will likely not get done.
• Implement both incentive programs and fines for non-adoption. Encourage good information security behaviors rather than simply having companies target the minimum requirements (what the current system does).
• Ask the franchisor CIOs or PCI Compliance Leads for advice in addressing the issue. Each time I talk to one of my peers I learn something new and valuable. Why not leverage this vast experience? Don’t just talk to the large companies. Chat with the brands that have 50 to 500 stores, too. The big companies have larger IT staffs to help franchisees to work through issues. A 50-unit franchisor may only have a single help-desk person who supports corporate PCs. This organization has different needs than a Subway or Burger King.

What are your thoughts? I’d love to gain some additional perspectives. Leave a comment, or E-mail me at Todd.Michaud@FranchiseIT.org. You can also follow me on Twitter: @todd_michaud.

And don’t forget to follow my Ironman training progress at www.IronGeek.me.