When It Comes To PCI Compliance, Franchisors Are Screwed

Written by Todd L. Michaud
December 16th, 2009

Franchisee Columnist Todd Michaud has spent the last 16 years trying to fight IT issues, with the last six years focused on franchisee IT issues. He is currently responsible for IT at Focus Brands (Cinnabon, Carvel, Schlotzsky’s and Moe’s Southwestern Grill).

When it comes to franchise-based retailers, PCI Compliance is broken, plain and simple. It simply does not address the complexities of the franchisee/franchisor business model and, in the end, leaves the franchisor holding the bag. Because each franchisee is a separate merchant, most large franchise organizations are only required to meet PCI Level 4 requirements. Chains are forced to make tough decisions about how much risk they are willing to accept and what they are willing (or not willing) to do to protect their brand integrity.

It boggles my mind that millions of dollars are spent each year to “secure” database lookup (authorization) and database write (settlement) transactions. Tokenization and encryption should have been required years ago. Although not all techies agree that this approach is best, I think we all agree that it is much better than nothing. But too many companies–my firm included–are going to have to spend too much money to implement such daydream adventures, so we keep living with a broken system. Unfortunately, this broken system has left franchisors with no “good” options.

Most franchise agreements contain terminology stating that franchisees are responsible for running their business in compliance with all local, state and national laws, regulations and industry standards. The agreement basically says that franchisors are not going to define what compliance means, but that we do require franchisees to be compliant. This approach places the burden on franchisees to understand what is required for their businesses and then to react appropriately.

When it comes to taxes, for example, these agreements mean that the franchisees should be asking an accountant for advice. When it comes to ADA compliance, it probably means franchisees working with their architect or their general contractor. But when it comes to PCI Compliance, who should be advising them on what to do?

Should they consult with their POS manufacturer? The POS service company/dealer? Their merchant processing bank? Their network provider? The brand? The biggest myth of PCI Compliance is that if your POS is compliant, then the merchant is compliant. The reality is that all of these organizations need to be involved to be successful. And yet that approach amounts to a lot of work, which is highly technical in nature, to be done by people who are not always skilled with technology.

To make matters worse, I am sure that as a result of the lawsuit filed against Radiant and its dealer, POS companies are going to clearly define–in contract terms–where their responsibilities start and end.

Many franchisees look to their brand to provide them with instructions or guidance. This proposition, however, is risky for the brand for three reasons:

  • The main reason the brand typically does not define compliance is because if they do, they are obligated to update that definition as all laws and regulations change, even at a city or county level. This approach requires a huge amount of work that is not easily scalable.
  • Second, and similarly, if the brand recommends or mandates technology approaches used in the PCI ecosystem, it is setting itself up to be liable should any of those systems fail. (“I purchased what the brand told me to purchase and I was breached. It is the brand’s fault and I’m suing.”)


2 Comments | Read When It Comes To PCI Compliance, Franchisors Are Screwed

  1. Joe Says:

    What a complicated situation. We provide our independent dealers with a POS system that is integrated with credit card processing back to FD through dedicated circuit. The router in the stores are on different connection types and connect back to the system through VPN. These dealers are completely uninformed about PCI and are looking to us to make the issue go away. The temptation (and even the suggestion by a FD customer service person) is to just answer “yes” to the online self assessment on questions that you aren’t sure of the answer. All these retailers are level 3 or 4 and wouldn’t need an onsite audit, but they don’t even understand what the issue is.

    Those clunky old hyperterminals on dialup look a little more attractive these days :/

  2. PoS Manager Says:

    It’s a really good point. There’s so much involved with compliance. Just because the PoS software is PA-DSS, doesn’t mean the entire hardware solution is. Just because the physical devices are, doesn’t mean the user is using ‘best practices’ and eating the PCI dogfood.

    Obviously, no one really wants to take responsibility, and it usually falls on the person who has the least to lose, but also is the least capable of achieving proper implementation.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.