When it comes to PCI compliance for franchisors, Visa is completely out of touch with reality.
Well, perhaps not completely out of touch with reality. But based on a 9-hour Visa Franchisor Payment Systems Security Symposium on Wednesday (June 16), the brand is pretty darn close.
With high hopes, I spent Wednesday at the sessions. I was excited about the opportunity to finally have my voice heard about the specific struggles that franchisors face, in addition to learning how to better face these challenges. As it turns out, I was not given the opportunity to do either of these things. (Remind me next time to ask for a detailed agenda before I book a coast-to-coast flight.)
Instead, the morning was spent providing horror stories about how the sophisticated Russian organized crime syndicates responsible for the lion's share of breaches operate. The afternoon, meanwhile, was spent talking--indirectly--about what role tokenization and encryption may or may not play in the future of card data protection. Retailers representing more than 50,000 domestic locations were all in the same room, and not once were we asked our thoughts and opinions on the matter. What a wasted opportunity.
The entire payment industry is complicit in allowing Level 4 merchants to bury their heads in the sand and proclaim: "This information security mumbo-jumbo is too complicated for little ole me. How’s a poor sandwich maker supposed to know about stateful packet inspection firewalls?"
Too much money is on the line, with everyone getting a cut, to play hardball. The response should be: "If you want to keep processing credit cards, then you are going to have to learn all about it." With 92 percent of all reported breaches in the first quarter of 2010 affecting Level 4 merchants, you would think someone would take the hard line. Instead it appears the approach is to pull in franchisors in an attempt to offset the burden to them.Every franchisor organization I know is struggling with PCI compliance. There seems to be a universal debate over how involved a franchisor should be, and what legal liability an organization assumes as a result of that involvement. If the franchisor pushes off PCI responsibility ("Hey Mrs. Franchisee, PCI is your problem, not ours."), then it runs the risk of brand reputation/image issues as the result of a breach at a franchised location due to little or no information security. On the other hand, while getting more involved with PCI compliance may reduce the brand reputation/image risk, it increases the legal liability (“I implemented the system that you told me to. If I’m in trouble, then you are too.”).
Early in the day, one of the speakers (a third-party security vendor) strongly recommended franchisors take on the ownership of their franchisees' PCI compliance/information security. The argument was that franchisees simply do not have the knowledge and capabilities to do it on their own. Yet later in the afternoon, Visa announced it is creating a new category of service providers to cover franchisors that offer PCI-related services to their franchisees.
The brand wants to close the "loophole" it found, where franchisors were not obligated to report franchisee compliance but still provided info-sec packages to those franchisees (some of which were breached). Let me just say how excited I am about that prospect.
What kills me is that so many little changes should make such a big impact. And yet, as far as I can tell, no one is taking the time to look at any of those changes. Here are just a few items on my long wish list:
- Get rid of the confusing acronyms. PCI DSS and PA-DSS are too close and too confusing. Create "Certified Payment Solution" and "Certified Merchant" categories. Don’t allow people to claim they are PCI compliant when they are actually PA-DSS compliant. It may be easier for them, but it confuses the heck out of merchants.
- When something requires you to answer more than 200 questions that you do not know the answer to (or even know who to get the answer from), then you cannot call it a Self-Assessment questionnaire.
- Put the "Single Function Per Server" requirement in the SAQ C document. This is probably the biggest debate I have with my franchisees. You should not be using your POS server for anything other than POS/Payment applications. Because it does not appear on the SAQ C, most of my franchisees do not believe Single Function Per Server is a true requirement. Worse yet, some PCI vendors are supporting that notion.
- Too many times in Wednesday’s session, people talked about "Best Practices." It should be known that most franchisees will not spend money on what they "should" do. They will only spend money on what they "need" to do. If it is not on the "must do" list, it will likely not get done.
- Implement both incentive programs and fines for non-adoption. Encourage good information security behaviors rather than simply having companies target the minimum requirements (what the current system does).
- Ask the franchisor CIOs or PCI Compliance Leads for advice in addressing the issue. Each time I talk to one of my peers I learn something new and valuable. Why not leverage this vast experience? Don’t just talk to the large companies. Chat with the brands that have 50 to 500 stores, too. The big companies have larger IT staffs to help franchisees to work through issues. A 50-unit franchisor may only have a single help-desk person who supports corporate PCs. This organization has different needs than a Subway or Burger King.
What are your thoughts? I'd love to gain some additional perspectives. Leave a comment, or E-mail me at [email protected]. You can also follow me on Twitter: @todd_michaud.
And don't forget to follow my Ironman training progress at www.IronGeek.me.