When It Comes To PCI Compliance, Franchisors Are Screwed
Written by Todd L. MichaudDecember 16th, 2009
When it comes to franchise-based retailers, Franchisee Columnist Todd Michaud opines, PCI Compliance is broken, plain and simple. It simply does not address the complexities of the franchisee/franchisor business model and, in the end, leaves the franchisor holding the bag. Because each franchisee is a separate merchant, most large franchise organizations are only required to meet PCI Level 4 requirements. Chains are forced to make tough decisions about how much risk they are willing to accept and what they are willing (or not willing) to do to protect their brand integrity.
It boggles his mind that millions of dollars are spent each year to “secure” database lookup (authorization) and database write (settlement) transactions. Tokenization and encryption should have been required years ago. Although not all techies agree that this approach is best, I think we all agree that it is much better than nothing. But too many companies--my firm included--are going to have to spend too much money to implement such daydream adventures, so we keep living with a broken system. Unfortunately, this broken system has left franchisors with no “good” options.
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
Pages: 1 2
2 Comments | Read When It Comes To PCI Compliance, Franchisors Are Screwed
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Christine
December 17th, 2009 at 10:55 am
What a complicated situation. We provide our independent dealers with a POS system that is integrated with credit card processing back to FD through dedicated circuit. The router in the stores are on different connection types and connect back to the system through VPN. These dealers are completely uninformed about PCI and are looking to us to make the issue go away. The temptation (and even the suggestion by a FD customer service person) is to just answer “yes” to the online self assessment on questions that you aren’t sure of the answer. All these retailers are level 3 or 4 and wouldn’t need an onsite audit, but they don’t even understand what the issue is.
Those clunky old hyperterminals on dialup look a little more attractive these days :/
December 18th, 2009 at 12:12 pm
It’s a really good point. There’s so much involved with compliance. Just because the PoS software is PA-DSS, doesn’t mean the entire hardware solution is. Just because the physical devices are, doesn’t mean the user is using ‘best practices’ and eating the PCI dogfood.
Obviously, no one really wants to take responsibility, and it usually falls on the person who has the least to lose, but also is the least capable of achieving proper implementation.