This is page 2 of:
When It Comes To PCI Compliance, Franchisors Are Screwed
Now let’s look at each of these options. In the first approach, chains could decide to stick with the “you figure it out and make sure it’s right” mentality that is seen in most franchise agreements. With this method, the brand is putting its faith in the franchisees to be able to sort through the mess of PCI on their own (individually), determine the right approach and implement it. And if one single franchisee does not do this 100 percent and is breached, then the chain’s name makes the headline (not the single franchisee). This approach is obviously not one that most franchisors would like to take.
In the second option, the chain would require each franchisee (as part of their franchise agreement) to show proof that an audit has been completed for each location. But if each franchisee is a Level 4 Merchant, PCI Compliance does not require an audit. So there is bound to be a significant pushback from the franchisee on bearing the audit’s costs. Also, what happens if the brand wants to maintain a standard higher than PCI Compliance requires (for example: tokenization and/or end-to-end encryption)? What standard will the franchisee be audited against?
The third option would be to put together a comprehensive program that requires franchisees to implement various brand standards. This approach would include technology standards for which hardware and software is used, how it is installed and how it is supported. It would include process standards for how the technology is to be used and not used. It would also include communication standards for how to communicate as the result of various events. This option gives the brand far more control over protecting itself, but it takes on far greater legal liability as a result. Telling your board of directors that you have just assumed most of the legal responsibility for franchisees’ PCI Compliance is not exactly a wonderful conversation either.
The bottom line is that the people who are managing the PCI process (often CIOs, unfortunately) are left with the task of figuring out which set of problems they want to face, rather than which approaches meet the brand’s need. Their presentation to executive leadership or the board of directors is a “good news, bad news” story. Each approach carries its own set of risks and its own financial impact.
What do you think? Love it or hate it, I’d love to gain some additional perspectives. Leave a comment, or E-mail me at Todd.Michaud@FranchiseIT.org.
-Marc
December 17th, 2009 at 10:55 am
What a complicated situation. We provide our independent dealers with a POS system that is integrated with credit card processing back to FD through dedicated circuit. The router in the stores are on different connection types and connect back to the system through VPN. These dealers are completely uninformed about PCI and are looking to us to make the issue go away. The temptation (and even the suggestion by a FD customer service person) is to just answer “yes” to the online self assessment on questions that you aren’t sure of the answer. All these retailers are level 3 or 4 and wouldn’t need an onsite audit, but they don’t even understand what the issue is.
Those clunky old hyperterminals on dialup look a little more attractive these days :/
December 18th, 2009 at 12:12 pm
It’s a really good point. There’s so much involved with compliance. Just because the PoS software is PA-DSS, doesn’t mean the entire hardware solution is. Just because the physical devices are, doesn’t mean the user is using ‘best practices’ and eating the PCI dogfood.
Obviously, no one really wants to take responsibility, and it usually falls on the person who has the least to lose, but also is the least capable of achieving proper implementation.