Case Study: Keeping Customer Data Safe at Two Men and a Truck
Franchises are one of the most lucrative hacking targets with dozens of breaches reported in the past several years. The pattern in all of these cases is similar: hackers infiltrated the franchisee's POS system and found clear-text (unencrypted) credit card data, which they then resold on the black market or used to make their own illicit purchases.
Last year, Two Men and a Truck (TMT) was seeking a solution to protect their customers' credit card information. "We wanted to implement effective measures that were easy for the franchise to use but also easy for us to deploy - and that had high benefits for our customers," said Jake Gaitan, IT Director for the brand.
Specifically, TMT needed a payment security solution - but owing to the nature of its mobile business (a challenge shared by any mobile service brand), they also wanted the flexibility of mobile processing. TMT considered several P2PE (peer-to-peer encryption) providers before selecting Bluefin Payment Systems to provide its franchises with mobile and office payment processing.
Before TMT implemented Bluefin's P2PE solution, drivers would call in credit card transactions to the main office, where a staff member manually entered the information to run the transaction. Because the card was not present, the locations were being charged higher transaction fees. (TMT estimates that savings from reduced fees since last fall have already saved corporate $18,000 to $20,000.)
Bluefin's PCI-validated P2PE solution is designed to secure credit card data by encrypting it at a PCI-approved P2PE payment terminal. Encrypting data within the device prevents cardholder data from reaching the franchise's system or network, where it could be exposed in the event of a data breach.
The solution, introduced at TMT's annual meeting last fall, currently has 77 franchises signed up (about 20% of its 350 franchisees worldwide), with more than 580 mobile devices deployed.
One of the first TMT franchises to adopt the new security solution was the Grand Rapids, Evansville, and Bloomington locations, run by Rob Felcher, president of TMT Evansville, and Dan Pettit, franchisee. Their drivers, as described above, would call in credit card information during business hours to process over the phone, or jot down the credit card number on the sales order and then input the information when they got into the office - which required them to shred each sales order and the sensitive card information.
"We realized that how we were taking cards could be opening us up to all the risks of having a breach, even internally," said Felcher. "What attracted us to the solution was not only the flexibility of deploying a secure mobile device with our drivers, but also the significant reduction in PCI scope that our locations would see."
In addition to the simple setup, the Grand Rapids and Evansville TMT locations have already completed the SAQ P2PE-HW questionnaire, which took "15 minutes total," said Felcher. Franchises that implement Bluefin's PCI-validated P2PE solution throughout their POS environment are eligible for the 33-question SAQ P2PE-HW - a significant reduction from the 329-question SAQ D.
The solution was deployed about 5 months ago across their three territories with 26 EMV-certified Nomad 2.0 Bluetooth mobile devices and 7 SREDKey card keypad and swipe terminals from ID Tech to accept secure payments over the phone or in the office. And, like TMT corporate, the franchisees have already saved a significant amount in processing fees and expect to save further from the decreased PCI requirements.
"One of the exciting things about TMT is the support from the family and the C-level on technology initiatives," said TMT's Gaitan. "We were pretty much able to do what we needed to do to get a PCI-validated P2PE solution in the hands of our franchisees that would not only provide greater security but bring a tremendous cost benefit to our locations."
For a deeper dive into keeping your network and customer data safe, see our feature article on cybersecurity in Franchise Update magazine (page 40).
Share this Feature
Comments:comments powered by Disqus
- Multi-Unit Franchising
- Get Started in Franchising
- Open New Units
A targeted, quarterly magazine that takes CEO's, VPs and Sales Executives to the cutting edge of franchise development.