This is page 3 of:
Post-PCI: Visa Experiments With More Secure Card Strategies
Another impact of the franchisee factor, Weick said, is pure ROI. In the U.S., he said, the typical McDonalds brings in about $2.1 million to $2.2 million in revenue per store. “So any solution that I come up with needs to fit within a P&L that starts with a $2.1 million or $2.2 million revenue line. If I come up with something that is way out of line, I have the franchisees who are there to tell me and to describe for me the economics of their business and whether or not it fits,” Weick said.
He said that he also needs to be especially sensitive to even slight slowdowns in the checkout process, adding that other retailers are likely going to be somewhat more tolerant.
As part of a general discussion of PCI ROI, Fifth Third’s Roeber said that his firm has tried to be more flexible in PCI rulings, with an eye on minimizing material risk as opposed to trying to unrealistically avoid all risk. He cited an example of a retailer who was being assessed about a year ago.
“Say they lost power or lost connectivity at one particular store. Their terminals would go into a store and forward mode, holding onto this data until a connection could be made again. During this period, these transactions were being stored in the clear. That’s a problem. That’s not in compliance with the PCI data security standards,” Roeber said. “The assessor was really taking a hard line, saying that you have got to upgrade every one of your terminals in your entire environment to a terminal that will encrypt this data.” That’s when Roeber said he got involved. “If Store A loses connectivity, no one can connect to that terminal because it’s not connected to the Internet. Once it does connect, it will be immediately be shipped on out for authorization. So I thought, ‘the only risk here is that you might have a store employee that recognizes this particular risk and figures out a way to extract data off that terminal.’ You’re really talking 40 or 50 transactions at the max. I thought, ‘That’s a pretty small risk. That risk was not material.’”