Printer-friendly version
Protecting Customers and the Brand from Credit Card Data Losses
August 2007 Franchising World
Now is the time to implement a system-wide PCI program before there is an issue or damage to the brand. In the December 2006 issue of Franchising World, an article titled “PCI Compliance: Protecting Customers and the Franchise Brand” explored what is known as the Payment Card Industry Data Security Standard, what are the requirements from the card associations—Visa/MC, American Express and Discover—and what are the risks involved for non–compliance. This article can be found at www.franchise.org for specific information on the requirements for securing and protecting your customer’s credit card information. As discussed earlier, these regulations are set by the card associations, but as this article goes to press, five states currently have legislation pending that if passed would make most of these regulations law in their respective states. This will be a trend that will continue to grow as well as the regulations will continue to become tighter. Presented here are practical applications that franchise companies and franchisees need to address to not only protect their customers’ credit card information against theft, but protect their businesses and the valuable brand name they have worked hard to establish in the marketplace.
Truncation When this act was implemented in 2003, card associations and processors embarked on a three-year campaign to get all merchants compliant. In fact, the processors were quite aggressive as they saw this as an opportunity to increase revenue by getting merchants to upgrade their systems to become compliant. Having worked for the world’s largest credit-card processor at the time and seeing what was going on with this company, as well as with competitors, it didn’t appear to me that this was really going to be much of an issue four years later. However, since the first of the year there have been more than 100 class-action suits filed on behalf of customers who have shopped at merchant locations where receipts are still not in compliance. Many of these name not only franchisees, but franchise systems as well.
How could this have happened? Restaurants seem to be the target of choice right now, but this will likely trickle down into other industry verticals very quickly. FACTA is fairly vague on manually imprinted receipts. Service industries such as carpet cleaners, plumbers and contractors either take a manual imprint of a card using the old standby “knuckle buster” machine or even scarier, just write the customer’s card number and expiration date down on an invoice and leave one copy with the customer and keep one in their service logs.
What can franchise companies do now?
What must the franchisee do? • Level 1 should retain a qualified security assessor to complete the report on compliance with results provided to the acquirer. Alternatively, acquirers may elect to accept the report on compliance from a merchant’s internal auditor, provided that a letter signed by an executive-level officer of the merchant accompanies the report.
PCI-DSS: What must the franchise company do? If the franchise company does not require a standardized POS system or software, it is highly recommend that it consider this. Until standardization can be completed, education is the best defense. Once a company has polled its franchisees and has a pretty good handle on the various systems being utilized in the brand, the merchant service provider should be able to identify those terminals or software applications that may be at risk and together can reach out to those franchisees and educate them on the issue and the need for upgrading. Document your educational efforts and results while working toward full compliance. It is also highly recommended that franchise organizations put into place a tracking program that monitors the participation of system franchisees in the self-assessment and quarterly-scan requirements. Franchisees can report their efforts back to the franchise company for tracking or online tracking can be provided in real time from qualified vendors. This might all sound very scary and expensive to administer, but consider the alternatives. Think about this as a very inexpensive insurance against damages as the result of fines from the card associations or class actions by damaged customers. For most of a system’s franchisees, the self assessments and quarterly scans can be done for between $100 and $150 annually per location. Now is the time to implement a system-wide PCI program before there is an issue or damage to the brand. Tom Epstein, CFE, is CEO of Franchise Payments Network. He can be reached at 866-420-4613 ext. 1103 or tomepstein@franchisepayments.net.
By Tom Epstein, CFE
The Fair and Accurate Credit Transaction Act, passed by Congress in 2003 provides that “no person who accepts credit cards for the transaction of business shall print more than the last five digits of the card number or the expiration upon any receipt provided to the card holder at the point of sale or transaction.” The act gave a grace period to enable merchants and processors time to update their point-of-sales systems. The deadline for full compliance was Dec. 4, 2006. At this point, no merchant should be giving out customer receipts and be in compliance.
Unless your system requires specific POS terminals or stand-alone credit card terminals, the chances are very good that your company has a variety of different POS terminals in use today. Some of them could be old, non-compliant terminals that the franchisee chooses not to upgrade due to the costs involved. If a company is in the sandwich business, it would not let franchisees serve sandwiches made with inferior bread as this would damage the brand. Franchise systems should also be taking a look at this issue as this could have as serious or more repercussions on their brands. In the current cases pending, the defendants are looking at anywhere from $100 to $1,000 in damages per instance of alleged failure to comply with FACTA.
First, poll all locations to find out the exact model number and software versions the brand and your franchisees are using. As with everything else in franchising, consistency is the key. A franchise system should have one consistent POS terminal for the company and require franchisees to upgrade those terminals that are not compliant. Work with your POS and merchant service provider (they are often the same company), to come up with a plan to get all locations upgraded. Even in card-present environments, this can be an issue. When the card cannot be read by the swiped device and the number is key entered, the merchant should be taking a manual imprint of the card as a precaution against chargebacks (this proves that the card was present at the time of a sale). Most processors can provide these, but franchise systems will specifically have to ask for this.
All locations, regardless of the status of the above, must complete an annual PCI-DSS self-assessment questionnaire and retain it on file for review if needed. Then, depending on the merchant level (see Chart) the franchise system falls into, it should also do the following:
• The Annual PCI Self-Assessment Questionnaire must be completed by Level 2, 3 and 4 merchants. Level 4 merchants may need to complete the quarterly network scan if required by their acquirer.
• Acquirers must ensure that the quarterly network security scan, which consists of an automated tool that checks systems for weaknesses, is completed by Level 1, 2 and 3 merchants and is also performed by a qualified and approved independent scan vendor. The quarterly network security scan validation may also need to be completed for Level 4 merchants if required by their acquirer.
Most franchisees will fall into Level 4 and thus will only be required to do the self assessment unless they are using the Internet or an IP connection to transmit their transactions. In those cases they will also need to do the quarterly network scans.
At a minimum, the franchise company needs to review how it (if it owns corporate locations) and its franchisees are currently accepting credit cards. If franchisees are required to use a specific POS hardware system or software, ask the vendor if it is compliant with PCI-DSS. If a system is part of the service industry or has customers on recurring payments, make sure all locations are securing any documents that have customers’ credit card or bank account information and they are limiting access to those records.
