Franchise Update Media
Franchise Update Media Digital
Publications
Conferences Education Videos Subscribe
Advertise

Time To Own Up

Who is really responsible for network security?

An overwhelming number of franchisees are perplexed about network ownership and responsibility--especially when it comes time to pay for a data compromise. Many incorrectly assume the franchisor or franchisee-appointed third IT company manages all aspects of their including adherence to Payment Card Industry (PCI) compliance. Generally speaking, this confusion stems from unclear delegation of security obligations between franchisors and franchisees. This leads franchisees to make assumptions concerning who is ultimately responsible to ensure their PCI compliance is fulfilled, and who is liable in the event of a breach.

  • Who is responsible for your security? In every arrangement but one, the franchisee is wholly responsible and liable for its Franchisor-controlled scenarios are the outliers, and in these situations the franchisor completely regulates and monitors each franchisee payment network from a single corporate location. In this setting, the franchisor typically delivers, sets up, and supports all franchisee systems. In every other situation, the franchisee is responsible. Even if a franchisee outsources its security systems to management or IT companies, the franchisee is 100 percent responsible, especially for the actions of its employees who handle patron credit cards.
  • Franchises on hackers' "most wanted" lists. Our forensic investigations find that hackers choose to attack franchise-operated hotels, restaurants, and locations because many do not understand how to protect their business network. PCI Data Security Standards (DSS) are payment card industry regulations required of any business or franchise that processes, stores, or transmits cardholder data. PCI DSS compliance helps franchisors and franchisees better protect their business from data breaches that may result in debilitating fines, damaging news stories, loss of customers, and revenue deterioration.
  • Security outsourcing: here be dragons. If a franchisee or a third party manages a POS system, it is wise to assume not all aspects of security are being handled correctly. Many franchisees rely heavily on third parties to complete security requirements, but many IT companies, POS vendors, and hosting providers don't know the extent of PCI compliance. In fact, about 30 percent of data breaches we investigate have been caused by a third party's insecure remote access. In defense of these hired organizations, IT companies offer most services that enable secure systems and compliance to PCI DSS standards. The problem is that many franchisees choose substandard security that doesn't include the security services and products that would help them meet PCI requirements and adequately secure their business.

Top 10 ways franchises are hacked

As a franchisor or franchisee, ask yourself the following 10 questions. You may not know the answer to each, but it's important to identify who is responsible for each. Remember, in nearly all cases, the franchisee is the liable party if a data compromise occurs.

  1. What type of firewall do you have? Does it restrict outbound and inbound traffic?
  2. Do you require complex alphanumeric passwords? Does each network user have a unique username?
  3. Is internal risk assessment performed on a regular basis (anti-virus, internal vulnerability scanning, internal penetration testing, file integrity monitoring, intrusion detection/prevention)?
  4. Is external risk assessment performed on a regular basis (vulnerability scanning, penetration testing, wireless rogue detection)?
  5. Do you store cardholder data? Is it encrypted?
  6. Do you employ third parties that process, handle, transmit, or store cardholder data?
  7. Is your payment server segmented from a public environment?
  8. Is your current payment application PA-DSS certified?
  9. What types of policies and security do your employees have?
  10. What are your systems for updating computer software?

This list is merely a sample of all PCI requirements your franchise is required to comply with. The easiest approach to discover who should manage specific security aspects is to download the PCI Self-Assessment Questionnaire D (SAQ-D) from the PCI SSC website (www.pcisecuritystandards.org/security_standards/documents.php). Then assign each of the 288 self-assessment items to the appropriate party you believe should be responsible for addressing each requirement (IT group, franchisor, hotel management group, yourself). Once the list is complete, verify each assigned responsibility with the suitable party and ensure they fulfill that requirement by formally defining responsibilities in a written document. If you are breached because of third-party negligence, you can use these records to recoup any losses you might sustain.

Get help

Most franchises don't consider how third parties such as booking agencies, POS vendors, and management groups could be exploited by criminals and expose customer data. It's in your best interest to enlist the assistance of an independent organization whose core competency is security, such as a Qualified Security Assessor (QSA), to help you understand who should address individual security requirements. Let them help you ask the right questions to see which PCI requirements have yet to be met at your business.

Gary Glover

Gary Glover is QSA director for SecurityMetrics. To learn more about your security responsibilities as a franchisor, franchisee, third or business owner, please call 801-705-5656 or email largeaccounts@securitymetrics.com.

Social Reach:

Viewer Response:

comments powered by Disqus
 

Hot Opportunities

Jimmy John's Gourmet Sandwich Shops Franchise Opportunity

Jimmy John's Gourmet Sandwich Shops
Jimmy John's franchise success is built upon an unyielding commitment to...

Add
Papa Murphy's Take 'N' Bake Pizza Franchise Opportunity

Papa Murphy's Take 'N' Bake Pizza
The world's largest, fastest growing Take 'N' Bake pizza franchise is...

Add
Oxi Fresh Franchise Opportunity

Oxi Fresh
OXI FRESH is a GREEN Carpet Cleaning Franchise and one of Entrepreneur's...

Add
Doc Popcorn Franchise Opportunity

Doc Popcorn
Doc Popcorn is revolutionizing the way people snack in high-traffic...

Add
Bricks 4 Kidz Franchise Opportunity

Bricks 4 Kidz
Bricks 4 Kidz provides project-based programs designed to teach principles...

Add
Outdoor Lighting Perspectives Franchise Opportunity

Outdoor Lighting Perspectives
Build an exciting future making your community a more beautiful, safer...

Request Information
Marco's Pizza Franchise Opportunity

Marco's Pizza
Marco's is one of the top take out and delivery pizza franchises. We're...

Request Information
FASTSIGNS Franchise Opportunity

FASTSIGNS
Signage has never been more important. Right now, businesses are looking...

Add


The Franchise Buzz:


A Franchise Update Media Group Production Franchise Update Media Group | P.O. Box 20547 // San Jose, CA 95160 // PH. (408) 402-5681
Copyright © 2001 - 2014. All Rights Reserved. Site Hosting Provided By: wishVPS on FUMG3
0
Your Request List:
No Opportunities Saved