Hopefully, you've heard that the Payment Card Industry Data Security Standard (PCI DSS) has changed... again. In November 2013, the PCI Council released PCI DSS version 3.0 and set the compliance deadline for January 2015. With only a few busy months remaining, many businesses (including franchisees) aren't even close to compliance with the new standard.
Why change the standard? Changing technologies often improve business efficiency, but aren't bulletproof to the weaknesses consistently found and exploited by hackers. New security regulations like PCI 3.0 are released to protect new technologies against recent hacking trends.
In my opinion, Requirement 4.1 is the biggest PCI 3.0 change for franchisees. Many franchises and chains use satellite communications to connect locations. According to the newest version, it's no longer acceptable to rely on the link provider's system security. Instead, it's your responsibility to encrypt satellite communications containing cardholder data so it remains secure.
If your franchisor hasn't already asked you to begin implementing PCI 3.0 changes, they (or your bank) probably will soon. Here are three themes I've seen while reviewing additions to the newest PCI standard.
Security clearances aren't only for high-tech companies and weapons manufacturers. For example, restricting access to the administrative portions of POS systems or hotel management applications can lower the chance of malware entering a system. PCI 3.0 digs deep into employee restrictions to safeguard access to customer data with a handful of new requirements.
From my security experience, many breaches are caused in part by a lack of process review. Errors can easily occur because of ignorance, poor planning, lack of attention, or timing and can lead to security decay. The PCI Council definitely thought that double-checking software, processes, and devices was an important part of a secure business environment.
Documentation is a four-letter word to most franchisees. Who wants to devote precious resources to documentation? Well, the upsides are significant. Documentation is the failsafe that keeps your hands clean, keeps your company transparent, and keeps your security efforts organized. That's probably why PCI version 3.0 has so many new requirements about documentation.
Even though I didn't go over every change from PCI 2.0 to PCI 3.0, I hope you can take what you've learned and begin to apply it in your security processes today. Start examining your physical devices for tampering, begin your list of wireless access points, and instigate company-wide role-based employee access. I promise you'll be more secure. Not to mention, close to compliance by the oncoming deadline.
The only publication dedicated exclusively to the hottest topic in franchising - Multi-Unit and Multi-Brand Franchisees.
A unique event because it is highly influenced by its advisory board, consisting of the very best multi-unit franchisees. The board works diligently to ensure that the conference delivers on its promise of being the best platform for franchisees to learn how to grow their businesses.