StorefrontBacktalk

When It Comes To PCI Compliance, Franchisors Are Screwed

Written by Todd L. Michaud

December 16th, 2009

Franchisee Columnist Todd Michaud has spent the last 16 years trying to fight IT issues, with the last six years focused on franchisee IT issues. He is currently responsible for IT at Focus Brands (Cinnabon, Carvel, Schlotzsky’s and Moe’s Southwestern Grill).

When it comes to franchise-based retailers, PCI Compliance is broken, plain and simple. It simply does not address the complexities of the franchisee/franchisor business model and, in the end, leaves the franchisor holding the bag. Because each franchisee is a separate merchant, most large franchise organizations are only required to meet PCI Level 4 requirements. Chains are forced to make tough decisions about how much risk they are willing to accept and what they are willing (or not willing) to do to protect their brand integrity.

It boggles my mind that millions of dollars are spent each year to “secure” database lookup (authorization) and database write (settlement) transactions. Tokenization and encryption should have been required years ago. Although not all techies agree that this approach is best, I think we all agree that it is much better than nothing. But too many companies–my firm included–are going to have to spend too much money to implement such daydream adventures, so we keep living with a broken system. Unfortunately, this broken system has left franchisors with no “good” options.

Most franchise agreements contain terminology stating that franchisees are responsible for running their business in compliance with all local, state and national laws, regulations and industry standards. The agreement basically says that franchisors are not going to define what compliance means, but that we do require franchisees to be compliant. This approach places the burden on franchisees to understand what is required for their businesses and then to react appropriately.

When it comes to taxes, for example, these agreements mean that the franchisees should be asking an accountant for advice. When it comes to ADA compliance, it probably means franchisees working with their architect or their general contractor. But when it comes to PCI Compliance, who should be advising them on what to do?

Should they consult with their POS manufacturer? The POS service company/dealer? Their merchant processing bank? Their network provider? The brand? The biggest myth of PCI Compliance is that if your POS is compliant, then the merchant is compliant. The reality is that all of these organizations need to be involved to be successful. And yet that approach amounts to a lot of work, which is highly technical in nature, to be done by people who are not always skilled with technology.

To make matters worse, I am sure that as a result of the lawsuit filed against Radiant and its dealer, POS companies are going to clearly define–in contract terms–where their responsibilities start and end.

Many franchisees look to their brand to provide them with instructions or guidance. This proposition, however, is risky for the brand for three reasons:

The main reason the brand typically does not define compliance is because if they do, they are obligated to update that definition as all laws and regulations change, even at a city or county level. This approach requires a huge amount of work that is not easily scalable.
Second, and similarly, if the brand recommends or mandates technology approaches used in the PCI ecosystem, it is setting itself up to be liable should any of those systems fail. (“I purchased what the brand told me to purchase and I was breached. It is the brand’s fault and I’m suing.”)

Pages: 1 2

Posted in E-Commerce, In-Store, IT Strategy/Industry, Payment Systems, Security/Fraud

2 Comments | Read When It Comes To PCI Compliance, Franchisors Are Screwed

Joe Says:
December 17th, 2009 at 10:55 am
What a complicated situation. We provide our independent dealers with a POS system that is integrated with credit card processing back to FD through dedicated circuit. The router in the stores are on different connection types and connect back to the system through VPN. These dealers are completely uninformed about PCI and are looking to us to make the issue go away. The temptation (and even the suggestion by a FD customer service person) is to just answer “yes” to the online self assessment on questions that you aren’t sure of the answer. All these retailers are level 3 or 4 and wouldn’t need an onsite audit, but they don’t even understand what the issue is.

Those clunky old hyperterminals on dialup look a little more attractive these days :/
PoS Manager Says:
December 18th, 2009 at 12:12 pm
It’s a really good point. There’s so much involved with compliance. Just because the PoS software is PA-DSS, doesn’t mean the entire hardware solution is. Just because the physical devices are, doesn’t mean the user is using ‘best practices’ and eating the PCI dogfood.

Obviously, no one really wants to take responsibility, and it usually falls on the person who has the least to lose, but also is the least capable of achieving proper implementation.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.