Visa Classifies Corporate Franchisors As Third-Party Agents

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Last week Visa officially brought corporate franchisors into the world of Level 1 merchant service providers by requiring them to register as Third-Party Agents, with all that that implies. At one level, the increased visibility, attention to PCI compliance and stricter validation regime should reduce data breaches at unsecure franchise locations. At least, that is the plan. Also interesting is that in taking this step Visa has weighed in on the systems considered to be in scope for corporate franchisors' PCI compliance, even if they never store, process or transmit any cardholder information.

One has to ask, though, whether it is possible that Visa's effort might have the unintended and clearly undesired consequence of actually reducing franchisee security—at least in some situations. That might happen if corporate franchisors segment their networks in an effort to bypass the new program and its increased costs. The decisions corporate franchisors make in the coming months could determine the ultimate effectiveness of Visa's well-intentioned effort to reduce data compromises and increase PCI compliance among franchise locations.

Visa shared its plans at a meeting with corporate franchisors in June, reported on by my fellow StorefrontBacktalk columnist, Todd Michaud. Visa looked at the increasing number of cardholder data breaches at franchise locations. Based on its analysis of franchisee data security, Visa found that many breaches can be traced back to the corporate franchisor's own environment.

In some cases the compromises may not have originated there, but they spread through franchisor-hosted networks to other franchisee locations. In response to this threat, Visa is expanding its Third-Party Agent Program—"effective immediately"—to include a new category for Corporate Franchise Servicers (CFS). A danger is that corporate franchisors will instead pull back their franchisee support, leaving those franchisees more vulnerable than ever.

Corporate franchisors will need to register with their acquirer (and Visa) as a CFS if they do any of the following: provide card processing services to franchisees; operate a centralized network that is in PCI scope (i.e., stores, processes or transmits cardholder data); or simply control the environment franchisees use for card payments.

In its bulletin (dated June 16, but just posted on its Web site) Visa specifically includes any centralized or hosted network environment, "irrespective of whether Visa cardholder data is being stored, transmitted or processed through it." This means inventory control or restaurant menu distribution networks (both mentioned as examples) now fall under the scope of PCI DSS. Not only are these networks in scope, but the corporate franchisor now needs an outside assessment of its PCI compliance regardless of its merchant level.

This scope issue is worth discussing. With this announcement, Visa is saying that even though a corporate franchisor network may not be in a franchisee's cardholder data environment, that network can be in scope for PCI either because it connects to the franchisee's network or because it provides security or other services to that network. For example, a centralized inventory control, vehicle tracking, reporting, ordering, menu distribution or reservations network now can be included in the corporate franchisor's PCI scope.I agree with Visa's conclusion from a security perspective. The program reflects the reality of how data compromises spread and reinforces the importance of effective segmentation. The PCI Council has a Special Interest Group (SIG) examining this whole issue of what is in and what is out of PCI scope. The Scoping SIG is finalizing its recommendations. (Full disclosure: I am a member of that SIG.) It is interesting that Visa's action to expand the Agent Registration program seems to get a jump on the Scoping SIG and make a distinction between the cardholder data environment (where cards are stored, processed or transmitted) and PCI scope (which can be wider).

Like I said, from a security perspective, I agree with Visa's position. From a business perspective, however, it means corporate franchisors in a variety of industries face significantly increased PCI scope and costs. CFS who are, say, Level 2 merchants based on the payment activity at their company-owned locations can say goodbye to Self-Assessment Questionnaires. They now are subject to the same validation requirements as a Level 1 merchant or service provider. Specifically, they have 90 days to contract with a Qualified Security Assessor (QSA) and 30 days to schedule their assessment. The QSA's Report on Compliance (ROC) is due to the sponsoring acquirer within the next 150 days.

Visa notes a possible exclusion for corporate franchisors in their bulletin. Done properly, the corporate franchisor "may" (Visa's emphasis) be excluded from the CFS Agent Registration program. This possibility is important, and it is not a loophole. It is an option that may be open to some corporate franchisors, while still requiring them to be PCI compliant. There is no guidance on what "may" means, but I'm sure we QSAs who work with franchisors will be working on this issue—taking into account current PCI Council guidance and the Scoping SIG, when the PCI Council issues its much-anticipated report.

Corporate Franchisors shouldn't necessarily assume they are subject to Visa's Agent Registration. Although I think that most corporate franchisors will be included, they should note one sentence in Visa's bulletin: "Corporate Franchise Servicers must validate PCI DSS compliance within 12 months of initial notification from Visa or their acquirer [emphasis provided] that they are required to be registered."

If you think you might get this "initial notification" or wonder if you will, I suggest you contact your acquirer right away. You may get the dreaded news that you are in the new program, but you may also find you are not. Either way, it is a prudent idea to find out early and not wait to be surprised.

Will the increased PCI compliance effort and cost cause some corporate franchisors to rethink their network and services strategy with their franchisees? Maybe. Facing the extra costs of validating compliance and the implicit liability for any cardholder data breach, could some corporate franchisors stop supporting their franchisees? Maybe. And the unfortunate outcome would be increased risk to the entire payment system, because franchisees with little PCI or security expertise would be left to select and install their own payment applications and network infrastructure.

I hope this won't happen. I hope instead corporate franchisors who are facing this choice will segment their centrally hosted systems in a PCI-compliant manner and make them compliant, continuing to support franchisees with the best services and advice available.

I haven't got all the answers, but I'd like to hear what you think of the CFS program. Are you a franchisee or franchisor? What do you think? I'd like to hear your thoughts. Either leave a comment or E-mail me at [email protected].