My friend, Walter Conway has a great article posted on StoreFrontBackTalk.com regarding this “wonderful” new program and category of third parties for franchise operations where the franchisees’ computer systems are tied to franchiser’s computer systems. Visa thinks that regardless of whether cardholder data flows back to the franchiser’s systems, if these systems and networks are connected and there is no segmentation of the cardholder data environment, then the franchiser needs to register as an Corporate Franchise Servicer with Visa. This change will likely create a real mess for a lot of franchise operators particularly hoteliers and certain fast food chains.
UPDATE: We had a number of inquiries regarding this program and had to pose questions to Visa for clarification. The first question posed was in regards to Web sites that just pass through cardholder data for reservations and the like. We have always included those sites as part of an organization’s PCI assessment since they transmit cardholder data. Therefore, they were not like the systems in the fast food industry where no cardholder data was processed, stored or transmitted and therefore not assessed as part of any PCI assessment. Visa acknowledged that these sorts of Web sites will require organizations to register in their Corporate Franchise Servicer program. Visa also acknowledged that in order for an organization to register for the Corporate Franchise Servicer program, the organization must file a Report On Compliance (ROC) with their application.