When It Comes To PCI Compliance, Franchisors Are Screwed

Franchisee Columnist Todd Michaud has spent the last 16 years trying to fight IT issues, with the last six years focused on franchisee IT issues. He is currently responsible for IT at Focus Brands (Cinnabon, Carvel, Schlotzsky’s and Moe’s Southwestern Grill).

When it comes to franchise-based retailers, PCI Compliance is broken, plain and simple. It simply does not address the complexities of the franchisee/franchisor business model and, in the end, leaves the franchisor holding the bag. Because each franchisee is a separate merchant, most large franchise organizations are only required to meet PCI Level 4 requirements. Chains are forced to make tough decisions about how much risk they are willing to accept and what they are willing (or not willing) to do to protect their brand integrity.

It boggles my mind that millions of dollars are spent each year to “secure” database lookup (authorization) and database write (settlement) transactions. Tokenization and encryption should have been required years ago. Although not all techies agree that this approach is best, I think we all agree that it is much better than nothing. But too many companies--my firm included--are going to have to spend too much money to implement such daydream adventures, so we keep living with a broken system. Unfortunately, this broken system has left franchisors with no “good” options.

Most franchise agreements contain terminology stating that franchisees are responsible for running their business in compliance with all local, state and national laws, regulations and industry standards. The agreement basically says that franchisors are not going to define what compliance means, but that we do require franchisees to be compliant. This approach places the burden on franchisees to understand what is required for their businesses and then to react appropriately.

When it comes to taxes, for example, these agreements mean that the franchisees should be asking an accountant for advice. When it comes to ADA compliance, it probably means franchisees working with their architect or their general contractor. But when it comes to PCI Compliance, who should be advising them on what to do?

Should they consult with their POS manufacturer? The POS service company/dealer? Their merchant processing bank? Their network provider? The brand? The biggest myth of PCI Compliance is that if your POS is compliant, then the merchant is compliant. The reality is that all of these organizations need to be involved to be successful. And yet that approach amounts to a lot of work, which is highly technical in nature, to be done by people who are not always skilled with technology.

To make matters worse, I am sure that as a result of the lawsuit filed against Radiant and its dealer, POS companies are going to clearly define--in contract terms--where their responsibilities start and end.

Many franchisees look to their brand to provide them with instructions or guidance. This proposition, however, is risky for the brand for three reasons:

  • The main reason the brand typically does not define compliance is because if they do, they are obligated to update that definition as all laws and regulations change, even at a city or county level. This approach requires a huge amount of work that is not easily scalable.
  • Second, and similarly, if the brand recommends or mandates technology approaches used in the PCI ecosystem, it is setting itself up to be liable should any of those systems fail. (“I purchased what the brand told me to purchase and I was breached. It is the brand's fault and I’m suing.”)
  • Third, even if the brand provides franchisees with technology approaches (either recommended or required), in my experience, the brand IT team is not typically set up to manage the coordination of an audit of all the vendors in the PCI ecosystem. An example would be if each location used the same POS payment system but various installation partners, broadband providers or merchant banks, then how would you manage an audit?

Now let’s look at each of these options. In the first approach, chains could decide to stick with the “you figure it out and make sure it’s right” mentality that is seen in most franchise agreements. With this method, the brand is putting its faith in the franchisees to be able to sort through the mess of PCI on their own (individually), determine the right approach and implement it. And if one single franchisee does not do this 100 percent and is breached, then the chain’s name makes the headline (not the single franchisee). This approach is obviously not one that most franchisors would like to take.

In the second option, the chain would require each franchisee (as part of their franchise agreement) to show proof that an audit has been completed for each location. But if each franchisee is a Level 4 Merchant, PCI Compliance does not require an audit. So there is bound to be a significant pushback from the franchisee on bearing the audit’s costs. Also, what happens if the brand wants to maintain a standard higher than PCI Compliance requires (for example: tokenization and/or end-to-end encryption)? What standard will the franchisee be audited against?

The third option would be to put together a comprehensive program that requires franchisees to implement various brand standards. This approach would include technology standards for which hardware and software is used, how it is installed and how it is supported. It would include process standards for how the technology is to be used and not used. It would also include communication standards for how to communicate as the result of various events. This option gives the brand far more control over protecting itself, but it takes on far greater legal liability as a result. Telling your board of directors that you have just assumed most of the legal responsibility for franchisees’ PCI Compliance is not exactly a wonderful conversation either.

The bottom line is that the people who are managing the PCI process (often CIOs, unfortunately) are left with the task of figuring out which set of problems they want to face, rather than which approaches meet the brand’s need. Their presentation to executive leadership or the board of directors is a “good news, bad news” story. Each approach carries its own set of risks and its own financial impact.

What do you think? Love it or hate it, I’d love to gain some additional perspectives. Leave a comment, or E-mail me at [email protected].