Franchise Update Magazine Issue II, 2017 - Page 44

CYBER SECURITY 3) Patch management must be kept put out for the industry, specifically the For the franchisor, he says, the chal- lenge is how to make sure its franchisees up to date. Apple and Microsoft come PCI PTS (Point of Sale Pin Transaction know how important this is to the brand. out with updates all the time, but that Security Standard). The key to securing customer credit “They know they need to protect the doesn’t mean people install them. “A lot brand. How to do that is a different story,” of hacking that has gone on is because card data with this system is that the de- cryption keys are in a remote location— he says. “PCI is not enough—people will people don’t do this,” he says. do only what they need to do.” Then, again, there’s the people fac- which is the only place the data can be His advice to franchisors? “You should tor. “I can’t make people take 15 minutes decrypted. In the past, he says, merchants not go at this alone. There are a lot of third- to watch a video or pay them to do it at would decrypt at the back of the store be- party providers like us you can work with home,” is something he hears way too fore sending the card data to a processor. for a fixed monthly fee,” he says. Besides often. If you don’t require and enforce “But the merchant location is still part of the cost of hiring and hardware involved education, he says, “You’re asking for the attack surface,” he says. In the discussion about PCI compli- in doing it in-house, there’s trouble and should not be also the burden of mainte- surprised when it happens.” ance, says Martin, it’s common for a very Another tip: give each important distinction to be lost. “Compli- nance and around-the-clock employee their own ID to ance is something you do for the audits. monitoring. access your system. Other- Security is something you do to protect Franchisors and fran- wise, if an event occurs you your brand, your franchisees, and your chisees, he says, should be can’t tell who was involved. customers.” particularly receptive to the Another reason to do the encryption idea of standardization in Securing credit card data at the terminal is that the security con- the context of security. If “In my experience, franchi- figurations of the terminals are controlled you take the same approach sors have different models in remotely so franchisees can’t change them. to your security as you do how they push out technol- And the gold standard for encryption is a the your operations manual, John Christly ogy to their franchisees,” says PCI Point-to-Point Encryption (P2PE) store design, uniforms, and food, he says, it should be a no-brainer Robert Martin, vice president of security solution. And there’s a benefit that franchisees to understand why this is so important solutions at Ingenico Group, a Paris-based company that supplies technology for se- have to love: compliance becomes signifi- to the brand as a whole. Best practices for system-wide secu- cure electronic transactions. In the past cantly easier. Instead of having to answer rity, he says, should see every site have its some would require their franchisees to several hundred “questions of joy” on the firewall set up by the same company, its accept credit cards but not specify how. PCI SAQ, franchisees are faced with just computers all a certain brand, etc. Also, Others would say, “This is the technol- a few dozen. Then there’s the question of securing he adds, it’s extremely efficient to run ogy package you must use and must order stored cardholder data. This allows cus- standardized operations—and if things it from us.” Martin says the latter model is the one tomers the convenience of quick and easy go wrong, this makes it easier for audi- that should be pursued. The benefit of tak- ordering. Think Pizza Hut, for example, tors or forensic investigators. which even stores custom- Even doing all these things and more ing away some of the choice is no guarantee. “Does this mean I can’t and flexibility, he says, is that ers’ favorite pies, saving time be hacked?” he says. “No, unfortunately. it protects the brand—which on both ends of the trans- Anyone can be hacked.” is the job of the franchisor. action. That data, explains Martin, is protected through Another important tip: grill your ven- When a breach happens, he “tokenization.” Rather than dor about their security practices. “Ven- says, “It’s the franchisor’s encrypting the data each dors can be really good at installation, brand. Nobody cares who time before sending it, a but don’t know a thing about security,” the franchisee is.” What’s important in pro- customer’s purchasing data he says, and will leave a back door open, is stored remotely at a “to- or leave the password as “ad tݡѕѥѡɕЁɐф)مձӊt́)ѡeɔqQӊé܁ѡɥ䁥́ɕ٥ѡ́)͕ɥ)х́ͅ5ѥ%ѡ)ɕ́t)IЁ5ѥ)ɑȁѡɽ՝)!́ѡɕѥ́ȁɅͽ(́QɝЁɕݡ(Ĥ%ٕѽ丁Q́́A $ɕեɔѕɽ՝ɑ́٥ȁхɕձ́)аѼхٕѽ䁽ݥɕ́ɕձѕ䁵͕ѱаѽ͕ЁѼѡ͕ɥ)̰́ѕ̰UMѥ́ɥ́х͍Ʌ́Ёѕݡɔѡф́ѽɕѡɔ)ѡЁͅѼѕɕЁɐф́ѡЁЁݡɔqѽ)A=LԁeЁЁѡɔь)Q݅ѼɕٕЁѡа́ͅ5ѥѥt́ɔѡф͕́ЁѼ(Ȥѥ٥́ͽ݅ɔQ́͡ձ)ѕ䁡̸ͅЁх́́Ѽ͕Ё́ѼЁͼѡɔ́ɕЁɐ嵕ЁɐɽͽȸY͔)ЁѼѽѥ七qQٕ́́䁑фݥqѡˊtչѕɔ鄁ٕɕѼȁȄq)хЁɔ͕ɥ䁙ɔ䃊q]ӊéхЁȁɅͽ́́ѡЁɅͽȁѡЁ́ɑɥ)ȁ]̳t̸ͅ ɥѱ䰁ݡѡɕեɔѕѡЁ́Ёѡ٥ѽѥѕ́Ё)ɵȁ݅́ѕȁɕͥЁѡɐЁѡѕɵtQЁѡȁɅѕ䁥ٕ́䁝)ٕѥѽȰ́ͅͅ܁Ёѥ٥́ѕɵ̰͡ͅձЁѡݕȁȁɽѕѥѡɑȁфt)ٕ͕ɥхɑ́ѡЁٔ́ͅ5ѥ)ͽ݅ɔɕ($)Ʌ͕є%MLT%$ȀĀ