Franchisors generally select only those prospective franchisees who they believe will have the best chance of running successful operations.  Considerable investments are made to teach them to follow the franchisor’s successful business model.  Attention and resources are also devoted to protecting the corporate brand, which after all, is probably the company’s most valuable asset. 

It is important for franchisors to include policies for safeguarding payment card data when franchise agreements are created or renewed to preserve the integrity of the franchise brand. Incorporating the fundamentals of the Payment Card Industry Data Security Standards (PCI DSS) into franchise agreements provides franchisees with an extra incentive to comply, and thereby reduce their risk of a data compromise.

In addition to franchise agreements, franchisors should consider expanding their new and ongoing franchisee training programs to include data security awareness as part of their brand protection strategies.  Visa conducts webinars to highlight key data security trends in addition to more detailed security training seminars.  Franchisees should partner with their merchant-acquiring banks to identify upcoming training events and registration requirements.  Additionally, an array of data security and compliance information, including security alerts and bulletins highlighting compromise trends are available at www.visa.com/cisp.

An effective security training approach should include creating or refining standard operating procedures to include cardholder data security practices as well as an incident response plan.  These response plans should instruct franchisees on the steps required to report and contain a security breach or data compromise.  To ensure the plan addresses specific payment industry mandates such as, immediately notifying merchant-acquiring banks and Visa of the event, please visit www.visa.com/cisp and review Visa’s "What to do if Compromised" document.

It is critical that franchisors and franchisees use secure payment applications and do not use payment applications known to retain prohibited payment card data (specifically the full contents of the magnetic stripe, the three-digit security code and PIN numbers) or which have other inherent security weaknesses.  Often payment applications lead to the storage of prohibited data post-authorization without the merchant’s knowledge.  Hackers are intentionally targeting hotels and restaurants using these vulnerable payment applications in an attempt to steal sensitive account information. Franchisors can take action to make certain their franchisees do not use vulnerable POS applications by:

• Vetting their application against Visa’s list of validated payment applications at www.visa.com/cisp.
• Conferring with payment application vendors (or resellers/integrators) to ensure their software does not store prohibited data and ensure franchisor proprietary applications comply with the PCI DSS.
• Partnering with their merchant-acquiring bank to obtain a list of vulnerable payment applications.

To help mitigate the risk of network intrusions, franchisors should implement appropriate point-of-sale (POS) and network security guidelines as prescribed by the PCI DSS. Franchisors should consider implementing the following security practices:

• Franchisees must install and maintain a firewall at all times.  Disabling a firewall can put a business at heightened risk of Internet attacks and potential system compromise.
• Franchisees must enable firewall logging and maintain firewall logs for one year.  These audit trails assist with reconstructing system events, help identify suspicious network activity, and are instrumental in facilitating forensic investigations.
• Franchisees must implement strong access controls.  Access controls will help restrict inbound and outbound traffic on known ports to only traffic necessary for the cardholder data environment.

Another area worthy of attention is the use of remote management applications (RMAs).  The ease of use and ability to manage franchisee systems in multiple locations can serve as an integral part of a franchise business.  Many franchisors use corporate RMAs throughout their franchise community to disseminate business downloads, conduct sales polls or survey inventory.  In addition, select franchisees may establish their own remote management accounts and grant vendors remote access to facilitate the servicing of the POS system.

If improperly configured, however the RMA creates a potential vulnerability for hackers to exploit, leaving franchisees open for data compromise.  To secure remote access consider implementing the following:

• Change vendor-supplied default settings.  RMAs are often packaged from vendors with default or blank passwords (of which data thieves are generally well aware).  Creating unique user IDs and complex passwords (preferably unique to each franchise location) can reduce the risk of data compromise and help facilitate compliance with the PCI DSS. 
• Configure the RMA to allow connections only from known IP/MAC addresses or configure the system so remote users must establish a virtual private network (VPN) connection via a firewall before access is granted.
• Turn on the franchisee’s modem only when needed for downloads from the franchisor or payment application vendor and turn off immediately after downloads are complete.  Consult with the RMA vendor on secure configuration settings.

Protecting consumer information can be overwhelming for many organizations, but as criminals continue to target franchise businesses, your efforts to stop them must keep pace.  By implementing these key security practices, franchise businesses and their franchisees can together protect their brands and mitigate their risk of experiencing a security breach and data compromise.

Eduardo Perez, CFA, leads the Global Data Security Group within the Payment System Risk Department. He has responsibility for key teams including, U.S. Data Security, Global Third Party Agent Risk, Global Authentication Strategy and Emerging Risk, and Global Security Standards.