There was post recently on the SPSP Forum regarding the lack of information on franchise operations and PCI compliance. Since I have been searching for a topic to write on, I thought I would take up this topic.
The PCI DSS has only one reference to franchises and that is on page 7. The reference on page 7 is only in regards to sampling. During our first year of QSA training, we were told that PCI compliance in a franchise environment is controlled by the operational relationship between the franchiser (the organization that licenses the concept) and the franchisee (the organization that executes the retail concept). Franchisees typically maintain their own merchant accounts and have their own contracts with an acquiring bank. For PCI compliance purposes, most franchisees are independent from their franchiser and therefore, the franchisee is responsible for their PCI compliance and any document filing.
At their simplest, franchisees use “knuckle busters” and stand-alone terminals. In these instances, the franchisee can fill out and file a self-assessment questionnaire (SAQ) B. Other franchisees, such as those in the fast food industry have purchased un-customized integrated point of sale (POS) with a network at the restaurant. These sorts of installations typically meet the requirements for SAQ C.
However, thanks to technology and integration, the PCI compliance of the franchiser and franchisee can blur. The best example of technology creating a PCI compliance nightmare for a franchiser is Speedpass from Exxon/Mobil. Speedpass is a great customer convenience and probably one of the more innovative uses of RFID technology. The customer registers one or more credit cards at the Exxon/Mobil Web site and is mailed a Speedpass RFID fob. At the service station, the customer merely waves the Speedpass RFID in proximity to the Speedpass logo on the gas pump and they are validated and pay without a credit card ever being used. From a PCI compliance perspective, this sounds like a very secure approach and it is. However, because of Speedpass, franchised operations have to send their Speedpass transactions through Exxon/Mobil’s central data center. That data center is where the Speedpass RFID serial number is translated to a credit card number that the Speedpass customer entered into the Exxon/Mobil Web site. That credit card number is then used with the franchisee’s merchant number to process the transaction. As a result, Exxon/Mobil is on the hook for not only their own PCI compliance, but also all of their franchisees that accept Speedpass. The lesson of Exxon/Mobil is that if the franchiser requires franchisees to process their transactions through the franchiser’s data center, then the franchiser is responsible for everyone’s PCI compliance. The franchiser also is responsible for the monitoring and compliance of all franchisees.
Then you have the franchises that integrate sales and inventory management with corporate to ensure accurate ordering of material and to get daily sales figures. No cardholder data is ever involved. Most of these older solutions transfer their data at the end of day via FTP or some other batch data transfer method. These sorts of solutions keep the franchisee and franchiser separated, so PCI compliance is straightforward. In these instances, the franchisee just treats the franchiser as a service provider and files their own PCI compliance documentation.
However, in this age of total integration, newer solutions fully integrate the front of the business to the back of the business all to a central data center, regardless of the legal relationship between the parties. The franchiser is typically not accessing individual sales transactions, they just want to know how many of each item has been sold and they want visibility into a store’s inventory data in real time. This integration is also key to many franchise e-Commerce operations such as online ordering with in-store delivery, reservations and other customer friendly functions. All of this integration means that the franchiser’s systems are then passing cardholder data (CHD) to the franchisee and possibly sending CHD the other way as well.
To add insult to injury, the franchiser, under the guise of making all of this technology easy to operate for the franchisee, provides help desk and IT operations management to the franchisee. Where this all goes wrong is that now the franchiser’s IT personnel have access to the franchisee’s networks and computer systems and, possibly, CHD. Regardless of whether or not CHD is involved, the franchiser has remote access to the franchisees’ systems, which means that the two parties must rely on each other for PCI compliance.
In the end, PCI compliance in a franchise environment all depends on the responsibilities of each party. If they are truly separate, then there are no compliance conflicts between the parties. However, when the franchiser begins providing PCI in-scope related services and/or technology solutions to their franchisees, then the franchisee relies on the franchiser for their PCI compliance and the franchiser is on the hook for that compliance.
UPDATE: Visa has introduced a new category of third party service providers called Corporate Franchise Servicers. See this post regarding this program.
PCI Guru 
Here we are 9 years later and confusion still exists. Care to re-share your thoughts given the passage of time? Do you have the same perspective? What advice would you share with marketers and retailers who use branded services like a gas brand or restaurant brand. Is it ultimately whatever the contractual arrangements declare?
Nothing really has changed all that much. The key is to follow the SAD/CHD and determine who has access or could have access. The situations that typically get messed up are those where the franchiser is running and managing the IT environment on behalf of the franchisees. In those instances, the franchiser is a service provider to all of their franchisees. This is not only true in the fast food industry, but also the hospitality (i.e., hotel) industry.
In the fuel supply world, it is kind of turned upside down. Many retailers, and their suppliers have a franchise type of relationship, though not legally called this type.
Nearly every chevron or shell is privately owned, and not part of corporate chevron or shell, they have marketeters in between them that purchase contracts by volume, and supply them to retailers.
Most of the big oil companies have direct contracts with Visa, etc. directly, and the marketers and the retailers process directly with BIG OIL, not visa. PCI requirements are usually mentioned in big oils contracts with marketers, but not necessarily between marketers and retailers. This means the marketer may be on the hook for compliance with no revenue to off-set this cost, while big oil has passed its obligation to the marketer, the retailer can often be left without any obligations. Good for retailer, bad for the marketer. Stupidly, like lemmings chasing each other off a cliff, marketers have historically not negotiated strong enough contracts with big oil, and have given away the farm to retailers. So legally, in most cases, there is no re-course. Many will go out of business or be merged/acquired by larger marketers capapble of absorbing the hit. Its an unusual scenario.
Not 100% sure the legality of PCI to FORCE these requirements down on people, as they are NOT a government mandate, they are simply PCI wishes. But again, universally, all retailers and just about every class of trade has signed on to very bank friendly terms concerning credit cards. Its their rules, or you stop taking the card, no ifs, ands, or buts.
The legality of PCI comes from the contract (aka the merchant agreement) between the merchant and their acquiring bank. All merchant agreements were modified anywhere from three to five years ago to include language that states that the merchant is responsible for meeting all requirements to protect cardholder data that are promulgated by the card brands. Since the card brands have all endorsed the PCI SSC and the PCI standards, complying with the PCI DSS is implied in those merchant agreements.
Hi,
Good article !
I was looking for information on email encryption and storage. I am currently studying a infomation system with a franchiser that communicate a little part of the collected CC through email to their franchisees.
Beside the SSL used to secure the transmission, what about the client mail software (Outlook or thunderbird for example): since it stores the email even encrypted, since the key is in the software, it is not compliant to PCI DSS ?
Does it mean that email is not compatible with PCI DSS ?
To be continued ….