There was post recently on the SPSP Forum regarding the lack of information on franchise operations and PCI compliance. Since I have been searching for a topic to write on, I thought I would take up this topic.
The PCI DSS has only one reference to franchises and that is on page 7. The reference on page 7 is only in regards to sampling. During our first year of QSA training, we were told that PCI compliance in a franchise environment is controlled by the operational relationship between the franchiser (the organization that licenses the concept) and the franchisee (the organization that executes the retail concept). Franchisees typically maintain their own merchant accounts and have their own contracts with an acquiring bank. For PCI compliance purposes, most franchisees are independent from their franchiser and therefore, the franchisee is responsible for their PCI compliance and any document filing.
At their simplest, franchisees use “knuckle busters” and stand-alone terminals. In these instances, the franchisee can fill out and file a self-assessment questionnaire (SAQ) B. Other franchisees, such as those in the fast food industry have purchased un-customized integrated point of sale (POS) with a network at the restaurant. These sorts of installations typically meet the requirements for SAQ C.
However, thanks to technology and integration, the PCI compliance of the franchiser and franchisee can blur. The best example of technology creating a PCI compliance nightmare for a franchiser is Speedpass from Exxon/Mobil. Speedpass is a great customer convenience and probably one of the more innovative uses of RFID technology. The customer registers one or more credit cards at the Exxon/Mobil Web site and is mailed a Speedpass RFID fob. At the service station, the customer merely waves the Speedpass RFID in proximity to the Speedpass logo on the gas pump and they are validated and pay without a credit card ever being used. From a PCI compliance perspective, this sounds like a very secure approach and it is. However, because of Speedpass, franchised operations have to send their Speedpass transactions through Exxon/Mobil’s central data center. That data center is where the Speedpass RFID serial number is translated to a credit card number that the Speedpass customer entered into the Exxon/Mobil Web site. That credit card number is then used with the franchisee’s merchant number to process the transaction. As a result, Exxon/Mobil is on the hook for not only their own PCI compliance, but also all of their franchisees that accept Speedpass. The lesson of Exxon/Mobil is that if the franchiser requires franchisees to process their transactions through the franchiser’s data center, then the franchiser is responsible for everyone’s PCI compliance. The franchiser also is responsible for the monitoring and compliance of all franchisees.
Then you have the franchises that integrate sales and inventory management with corporate to ensure accurate ordering of material and to get daily sales figures. No cardholder data is ever involved. Most of these older solutions transfer their data at the end of day via FTP or some other batch data transfer method. These sorts of solutions keep the franchisee and franchiser separated, so PCI compliance is straightforward. In these instances, the franchisee just treats the franchiser as a service provider and files their own PCI compliance documentation.
However, in this age of total integration, newer solutions fully integrate the front of the business to the back of the business all to a central data center, regardless of the legal relationship between the parties. The franchiser is typically not accessing individual sales transactions, they just want to know how many of each item has been sold and they want visibility into a store’s inventory data in real time. This integration is also key to many franchise e-Commerce operations such as online ordering with in-store delivery, reservations and other customer friendly functions. All of this integration means that the franchiser’s systems are then passing cardholder data (CHD) to the franchisee and possibly sending CHD the other way as well.
To add insult to injury, the franchiser, under the guise of making all of this technology easy to operate for the franchisee, provides help desk and IT operations management to the franchisee. Where this all goes wrong is that now the franchiser’s IT personnel have access to the franchisee’s networks and computer systems and, possibly, CHD. Regardless of whether or not CHD is involved, the franchiser has remote access to the franchisees’ systems, which means that the two parties must rely on each other for PCI compliance.
In the end, PCI compliance in a franchise environment all depends on the responsibilities of each party. If they are truly separate, then there are no compliance conflicts between the parties. However, when the franchiser begins providing PCI in-scope related services and/or technology solutions to their franchisees, then the franchisee relies on the franchiser for their PCI compliance and the franchiser is on the hook for that compliance.
UPDATE: Visa has introduced a new category of third party service providers called Corporate Franchise Servicers. See this post regarding this program.