An overwhelming number of franchisees are perplexed about network security ownership and responsibility--especially when it comes time to pay for a data compromise. Many incorrectly assume the franchisor or franchisee-appointed third party IT company manages all aspects of their security, including adherence to Payment Card Industry (PCI) compliance. Generally speaking, this confusion stems from unclear delegation of security obligations between franchisors and franchisees. This leads franchisees to make assumptions concerning who is ultimately responsible to ensure their PCI compliance is fulfilled, and who is liable in the event of a breach.
As a franchisor or franchisee, ask yourself the following 10 questions. You may not know the answer to each, but it's important to identify who is responsible for each. Remember, in nearly all cases, the franchisee is the liable party if a data compromise occurs.
This list is merely a sample of all PCI requirements your franchise is required to comply with. The easiest approach to discover who should manage specific security aspects is to download the PCI Self-Assessment Questionnaire D (SAQ-D) from the PCI SSC website (www.pcisecuritystandards.org/security_standards/documents.php). Then assign each of the 288 self-assessment items to the appropriate party you believe should be responsible for addressing each requirement (IT group, franchisor, hotel management group, yourself). Once the list is complete, verify each assigned responsibility with the suitable party and ensure they fulfill that requirement by formally defining responsibilities in a written document. If you are breached because of third-party negligence, you can use these records to recoup any losses you might sustain.
Most franchises don't consider how third parties such as booking agencies, POS vendors, and management groups could be exploited by criminals and expose customer data. It's in your best interest to enlist the assistance of an independent organization whose core competency is security, such as a Qualified Security Assessor (QSA), to help you understand who should address individual security requirements. Let them help you ask the right questions to see which PCI requirements have yet to be met at your business.
Gary Glover is QSA director for SecurityMetrics. To learn more about your security responsibilities as a franchisor, franchisee, third party, or business owner, please call 801-705-5656 or email firstname.lastname@example.org.
The only publication dedicated exclusively to the hottest topic in franchising - Multi-Unit and Multi-Brand Franchisees.
A unique event because it is highly influenced by its advisory board, consisting of the very best multi-unit franchisees. The board works diligently to ensure that the conference delivers on its promise of being the best platform for franchisees to learn how to grow their businesses.