For the franchisor , he says , the challenge is how to make sure its franchisees know how important this is to the brand . “ They know they need to protect the brand . How to do that is a different story ,” he says .“ PCI is not enough — people will do only what they need to do .”
His advice to franchisors ? “ You should not go at this alone . There are a lot of thirdparty providers like us you can work with for a fixed monthly fee ,” he says . Besides the cost of hiring and hardware involved in doing it in-house , there ’ s also the burden of maintenance and around-the-clock monitoring .
Franchisors and franchisees , he says , should be particularly receptive to the idea of standardization in the context of security . If you take the same approach to your security as you do the your operations manual , store design , uniforms , and food , he says , it should be a no-brainer to understand why this is so important to the brand as a whole .
Best practices for system-wide security , he says , should see every site have its firewall set up by the same company , its computers all a certain brand , etc . Also , he adds , it ’ s extremely efficient to run standardized operations — and if things go wrong , this makes it easier for auditors or forensic investigators .
Even doing all these things and more is no guarantee . “ Does this mean I can ’ t be hacked ?” he says . “ No , unfortunately . Anyone can be hacked .”
Another important tip : grill your vendor about their security practices . “ Vendors can be really good at installation , but don ’ t know a thing about security ,” he says , and will leave a back door open , or leave the password as “ admin ” when they ’ re done . “ That ’ s how the majority of breaches happen .” He offers three tips for franchisors : 1 ) Inventory . This is a PCI requirement , to take an inventory of wireless access points , computers , USB sticks in a POS you didn ’ t put there , etc .
2 ) Antivirus software . This should be updated daily he says . All it takes is to set it to check automatically . “ This is a very important core security feature , especially for Windows ,” he says . Christly , who in a former life was a computer forensic investigator , says he saw a lot of antivirus software expired .
John Christly
CYBER SECURITY
3 ) Patch management must be kept up to date . Apple and Microsoft come out with updates all the time , but that doesn ’ t mean people install them . “ A lot of hacking that has gone on is because people don ’ t do this ,” he says .
Then , again , there ’ s the people factor . “ I can ’ t make people take 15 minutes to watch a video or pay them to do it at home ,” is something he hears way too often . If you don ’ t require and enforce education , he says , “ You ’ re asking for trouble and should not be surprised when it happens .”
Another tip : give each employee their own ID to access your system . Otherwise , if an event occurs you can ’ t tell who was involved .
Securing credit card data “ In my experience , franchisors have different models in how they push out technology to their franchisees ,” says Robert Martin , vice president of security solutions at Ingenico Group , a Paris-based company that supplies technology for secure electronic transactions . In the past some would require their franchisees to accept credit cards but not specify how . Others would say , “ This is the technology package you must use and must order it from us .”
Martin says the latter model is the one that should be pursued . The benefit of taking away some of the choice and flexibility , he says , is that it protects the brand — which is the job of the franchisor . When a breach happens , he says , “ It ’ s the franchisor ’ s brand . Nobody cares who the franchisee is .”
What ’ s important in protecting the credit card data is removing the points of attack , says Martin . In the 2013 Target breach , which affected roughly 40 million cardholders and resulted in a $ 39 million settlement , criminals installed memory scrapers at the point of sale to steal credit card data .
The way to prevent that , says Martin , is to make it so there is no credit card data flowing “ in the clear ” ( unencrypted ). “ What ’ s important for franchisors is that they require a system that encrypts at the point of the card , at the terminal .” That terminal , he says , should meet the highlevel security standards that have been
Robert Martin
put out for the industry , specifically the PCI PTS ( Point of Sale Pin Transaction Security Standard ).
The key to securing customer credit card data with this system is that the decryption keys are in a remote location — which is the only place the data can be decrypted . In the past , he says , merchants would decrypt at the back of the store before sending the card data to a processor . “ But the merchant location is still part of the attack surface ,” he says .
In the discussion about PCI compliance , says Martin , it ’ s common for a very important distinction to be lost .“ Compliance is something you do for the audits . Security is something you do to protect your brand , your franchisees , and your customers .”
Another reason to do the encryption at the terminal is that the security configurations of the terminals are controlled remotely so franchisees can ’ t change them . And the gold standard for encryption is a PCI Point-to-Point Encryption ( P2PE ) solution .
And there ’ s a benefit that franchisees have to love : compliance becomes significantly easier . Instead of having to answer several hundred “ questions of joy ” on the PCI SAQ , franchisees are faced with just a few dozen .
Then there ’ s the question of securing stored cardholder data . This allows customers the convenience of quick and easy ordering . Think Pizza Hut , for example , which even stores customers ’ favorite pies , saving time on both ends of the transaction . That data , explains Martin , is protected through “ tokenization .” Rather than encrypting the data each time before sending it , a customer ’ s purchasing data is stored remotely at a “ token vault ” behind layers of security .
An order made through a mobile device , for instance , results in a token being sent to the high-security system where the data is stored . And there is only that one point where “ detokenization ” occurs before the data is sent to a payment card processor . Voila , a secure pizza delivered to your door ! “ For a franchisor that does mobile ordering , having a tokenization system as part of their mobile strategy is a very good answer for protecting the cardholder data ,” says Martin . n
42 Franchiseupdate ISSUE II , 2017