Evan Schuman's StorefrontBacktalk

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Last week Visa officially brought corporate franchisors into the world of Level 1 merchant service providers by requiring them to register as Third-Party Agents, with all that that implies. At one level, the increased visibility, attention to PCI compliance and stricter validation regime should reduce data breaches at unsecure franchise locations. At least, that is the plan. Also interesting is that in taking this step Visa has weighed in on the systems considered to be in scope for corporate franchisors’ PCI compliance, even if they never store, process or transmit any cardholder information.

One has to ask, though, whether it is possible that Visa’s effort might have the unintended and clearly undesired consequence of actually reducing franchisee security—at least in some situations. That might happen if corporate franchisors segment their networks in an effort to bypass the new program and its increased costs. The decisions corporate franchisors make in the coming months could determine the ultimate effectiveness of Visa’s well-intentioned effort to reduce data compromises and increase PCI compliance among franchise locations.

Visa shared its plans at a meeting with corporate franchisors in June, reported on by my fellow StorefrontBacktalk columnist, Todd Michaud. Visa looked at the increasing number of cardholder data breaches at franchise locations. Based on its analysis of franchisee data security, Visa found that many breaches can be traced back to the corporate franchisor’s own environment.

In some cases the compromises may not have originated there, but they spread through franchisor-hosted networks to other franchisee locations. In response to this threat, Visa is expanding its Third-Party Agent Program—”effective immediately”—to include a new category for Corporate Franchise Servicers (CFS). A danger is that corporate franchisors will instead pull back their franchisee support, leaving those franchisees more vulnerable than ever.

Corporate franchisors will need to register with their acquirer (and Visa) as a CFS if they do any of the following: provide card processing services to franchisees; operate a centralized network that is in PCI scope (i.e., stores, processes or transmits cardholder data); or simply control the environment franchisees use for card payments.

In its bulletin (dated June 16, but just posted on its Web site) Visa specifically includes any centralized or hosted network environment, “irrespective of whether Visa cardholder data is being stored, transmitted or processed through it.” This means inventory control or restaurant menu distribution networks (both mentioned as examples) now fall under the scope of PCI DSS. Not only are these networks in scope, but the corporate franchisor now needs an outside assessment of its PCI compliance regardless of its merchant level.

This scope issue is worth discussing. With this announcement, Visa is saying that even though a corporate franchisor network may not be in a franchisee’s cardholder data environment, that network can be in scope for PCI either because it connects to the franchisee’s network or because it provides security or other services to that network. For example, a centralized inventory control, vehicle tracking, reporting, ordering, menu distribution or reservations network now can be included in the corporate franchisor’s PCI scope.