Evan Schuman's StorefrontBacktalk

Franchisee Columnist Todd Michaud has spent the last 16 years trying to fight IT issues, with the last six years focused on franchisee IT issues. He is currently responsible for IT at Focus Brands (Cinnabon, Carvel, Schlotzsky’s and Moe’s Southwestern Grill).

When it comes to franchise-based retailers, PCI Compliance is broken, plain and simple. It simply does not address the complexities of the franchisee/franchisor business model and, in the end, leaves the franchisor holding the bag. Because each franchisee is a separate merchant, most large franchise organizations are only required to meet PCI Level 4 requirements. Chains are forced to make tough decisions about how much risk they are willing to accept and what they are willing (or not willing) to do to protect their brand integrity.

It boggles my mind that millions of dollars are spent each year to “secure” database lookup (authorization) and database write (settlement) transactions. Tokenization and encryption should have been required years ago. Although not all techies agree that this approach is best, I think we all agree that it is much better than nothing. But too many companies–my firm included–are going to have to spend too much money to implement such daydream adventures, so we keep living with a broken system. Unfortunately, this broken system has left franchisors with no “good” options.

Most franchise agreements contain terminology stating that franchisees are responsible for running their business in compliance with all local, state and national laws, regulations and industry standards. The agreement basically says that franchisors are not going to define what compliance means, but that we do require franchisees to be compliant. This approach places the burden on franchisees to understand what is required for their businesses and then to react appropriately.

When it comes to taxes, for example, these agreements mean that the franchisees should be asking an accountant for advice. When it comes to ADA compliance, it probably means franchisees working with their architect or their general contractor. But when it comes to PCI Compliance, who should be advising them on what to do?

Should they consult with their POS manufacturer? The POS service company/dealer? Their merchant processing bank? Their network provider? The brand? The biggest myth of PCI Compliance is that if your POS is compliant, then the merchant is compliant. The reality is that all of these organizations need to be involved to be successful. And yet that approach amounts to a lot of work, which is highly technical in nature, to be done by people who are not always skilled with technology.

To make matters worse, I am sure that as a result of the lawsuit filed against Radiant and its dealer, POS companies are going to clearly define–in contract terms–where their responsibilities start and end.

Many franchisees look to their brand to provide them with instructions or guidance. This proposition, however, is risky for the brand for three reasons:

• The main reason the brand typically does not define compliance is because if they do, they are obligated to update that definition as all laws and regulations change, even at a city or county level. This approach requires a huge amount of work that is not easily scalable.
• Second, and similarly, if the brand recommends or mandates technology approaches used in the PCI ecosystem, it is setting itself up to be liable should any of those systems fail. (“I purchased what the brand told me to purchase and I was breached. It is the brand’s fault and I’m suing.”)

  Pages: 1 2