United States

PCI compliance diligence is a must for franchisors and franchisees

How to ensure franchisees are providing proper PCI security


Organizations that store, process, transmit credit card data or impact the security of cardholder data, must comply with the Payment Card Industry (PCI) Data Security Standards; such compliance should be evaluated on, at least, an annual basis. That is the standard, yet some franchisors may be at risk if franchisees have a loose adherence to PCI provisions or poor security controls in their storefronts and businesses. Recent news of franchise breaches which occurred via a franchisee point-of-sale terminal, are cautionary tales of how substandard PCI compliance and lacking cybersecurity measures can expose an entire enterprise. The cost to resolve such a breach can be in the tens of millions and significantly impact brand reputation for years to come. Unfortunately, customers do not differentiate between franchisor or franchisee fault when a data breach occurs. They remember the brand name and attach that mistrust to that brand’s overall reputation.

Summary of compliance options

So what should franchises do to ensure franchisees are providing proper PCI security in their stores, restaurants and other businesses? Some card brands and financial services organizations are leading the compliance charge by providing their franchisor merchants a summary of compliance set of options to help periodically validate franchisee PCI-related equipment, process and systems. This offering can reveal vulnerabilities, improve data security awareness and includes options such as leveraging a security portal, which can capture PCI transactions and compliance at the time of submission. Other options include using an outside Qualified Security Assessor to verify compliance and controls, or deploying various franchise-guided templates that report franchisee PCI activity.

The takeaway from this is franchises must be diligent in their franchisee PCI compliance management, otherwise run risk of a breach in the not too distant future that affects the entire organization.

Is your PCI program at risk?

Consider the following questions to initially assess your current PCI compliance efforts and that of partner franchisees. Your answers may reveal vulnerabilities and areas of improvement.

  • Do you require the use of approved point of sale equipment for franchisees to use?
  • Do you know if your franchisees have a process to identify and mitigate vulnerabilities?
  • Do you know if your franchisees are protecting your brand?
  • Do you receive attestations of compliance from your franchisees?
  • Do you review the risks associated with how franchisees manage data beyond that which PCI governs?
  • Do you have a program to manage the risks of franchisees?

Complete a rapid assessment to further understand your areas of PCI compliance improvement. In addition, learn more about risk management efforts and contact us for additional insights and assistance.

you may also be interested in

Prevent, detect, correct: Your restaurant’s cyberthreat strategy

Prevent, detect, correct: Your restaurant’s cyberthreat strategy

Learn about common cyberattack methods in the restaurant industry and key steps to take to combat these ongoing threats.

E-Commerce is key to your retail strategy

E-Commerce is key to your retail strategy

Make time for testing and risk assessment to secure and protect enterprise and consumer data across platforms.


Consumer Products Insights

( * = Required fields)


Consumer Products Insights
News, trends and insights for the consumer products industry.

Events and Webcasts

Case Studies