Franchise Update Magazine Issue II, 2017 - Page 44

For the franchisor , he says , the challenge is how to make sure its franchisees know how important this is to the brand . “ They know they need to protect the brand . How to do that is a different story ,” he says .“ PCI is not enough — people will do only what they need to do .”

His advice to franchisors ? “ You should not go at this alone . There are a lot of thirdparty providers like us you can work with for a fixed monthly fee ,” he says . Besides the cost of hiring and hardware involved in doing it in-house , there ’ s also the burden of maintenance and around-the-clock monitoring .
Franchisors and franchisees , he says , should be particularly receptive to the idea of standardization in the context of security . If you take the same approach to your security as you do the your operations manual , store design , uniforms , and food , he says , it should be a no-brainer to understand why this is so important to the brand as a whole .
Best practices for system-wide security , he says , should see every site have its firewall set up by the same company , its computers all a certain brand , etc . Also , he adds , it ’ s extremely efficient to run standardized operations — and if things go wrong , this makes it easier for auditors or forensic investigators .
Even doing all these things and more is no guarantee . “ Does this mean I can ’ t be hacked ?” he says . “ No , unfortunately . Anyone can be hacked .”
Another important tip : grill your vendor about their security practices . “ Vendors can be really good at installation , but don ’ t know a thing about security ,” he says , and will leave a back door open , or leave the password as “ admin ” when they ’ re done . “ That ’ s how the majority of breaches happen .” He offers three tips for franchisors : 1 ) Inventory . This is a PCI requirement , to take an inventory of wireless access points , computers , USB sticks in a POS you didn ’ t put there , etc .
2 ) Antivirus software . This should be updated daily he says . All it takes is to set it to check automatically . “ This is a very important core security feature , especially for Windows ,” he says . Christly , who in a former life was a computer forensic investigator , says he saw a lot of antivirus software expired .
John Christly

CYBER SECURITY

3 ) Patch management must be kept up to date . Apple and Microsoft come out with updates all the time , but that doesn ’ t mean people install them . “ A lot of hacking that has gone on is because people don ’ t do this ,” he says .
Then , again , there ’ s the people factor . “ I can ’ t make people take 15 minutes to watch a video or pay them to do it at home ,” is something he hears way too often . If you don ’ t require and enforce education , he says , “ You ’ re asking for trouble and should not be surprised when it happens .”
Another tip : give each employee their own ID to access your system . Otherwise , if an event occurs you can ’ t tell who was involved .
Securing credit card data “ In my experience , franchisors have different models in how they push out technology to their franchisees ,” says Robert Martin , vice president of security solutions at Ingenico Group , a Paris-based company that supplies technology for secure electronic transactions . In the past some would require their franchisees to accept credit cards but not specify how . Others would say , “ This is the technology package you must use and must order it from us .”
Martin says the latter model is the one that should be pursued . The benefit of taking away some of the choice and flexibility , he says , is that it protects the brand — which is the job of the franchisor . When a breach happens , he says , “ It ’ s the franchisor ’ s brand . Nobody cares who the franchisee is .”
What ’ s important in protecting the credit card data is removing the points of attack , says Martin . In the 2013 Target breach , which affected roughly 40 million cardholders and resulted in a $ 39 million settlement , criminals installed memory scrapers at the point of sale to steal credit card data .
The way to prevent that , says Martin , is to make it so there is no credit card data flowing “ in the clear ” ( unencrypted ). “ What ’ s important for franchisors is that they require a system that encrypts at the point of the card , at the terminal .” That terminal , he says , should meet the highlevel security standards that have been
Robert Martin
put out for the industry , specifically the PCI PTS ( Point of Sale Pin Transaction Security Standard ).
The key to securing customer credit card data with this system is that the decryption keys are in a remote location — which is the only place the data can be decrypted . In the past , he says , merchants would decrypt at the back of the store before sending the card data to a processor . “ But the merchant location is still part of the attack surface ,” he says .
In the discussion about PCI compliance , says Martin , it ’ s common for a very important distinction to be lost .“ Compliance is something you do for the audits . Security is something you do to protect your brand , your franchisees , and your customers .”
Another reason to do the encryption at the terminal is that the security configurations of the terminals are controlled remotely so franchisees can ’ t change them . And the gold standard for encryption is a PCI Point-to-Point Encryption ( P2PE ) solution .
And there ’ s a benefit that franchisees have to love : compliance becomes significantly easier . Instead of having to answer several hundred “ questions of joy ” on the PCI SAQ , franchisees are faced with just a few dozen .
Then there ’ s the question of securing stored cardholder data . This allows customers the convenience of quick and easy ordering . Think Pizza Hut , for example , which even stores customers ’ favorite pies , saving time on both ends of the transaction . That data , explains Martin , is protected through “ tokenization .” Rather than encrypting the data each time before sending it , a customer ’ s purchasing data is stored remotely at a “ token vault ” behind layers of security .
An order made through a mobile device , for instance , results in a token being sent to the high-security system where the data is stored . And there is only that one point where “ detokenization ” occurs before the data is sent to a payment card processor . Voila , a secure pizza delivered to your door ! “ For a franchisor that does mobile ordering , having a tokenization system as part of their mobile strategy is a very good answer for protecting the cardholder data ,” says Martin . n
42 Franchiseupdate ISSUE II , 2017
CYBER SECURITY 3) Patch management must be kept put out for the industry, specifically the For the franchisor, he says, the chal- lenge is how to make sure its franchisees up to date. Apple and Microsoft come PCI PTS (Point of Sale Pin Transaction know how important this is to the brand. out with updates all the time, but that Security Standard). The key to securing customer credit “They know they need to protect the doesn’t mean people install them. “A lot brand. How to do that is a different story,” of hacking that has gone on is because card data with this system is that the de- cryption keys are in a remote location— he says. “PCI is not enough—people will people don’t do this,” he says. do only what they need to do.” Then, again, there’s the people fac- which is the only place the data can be His advice to franchisors? “You should tor. “I can’t make people take 15 minutes decrypted. In the past, he says, merchants not go at this alone. There are a lot of third- to watch a video or pay them to do it at would decrypt at the back of the store be- party providers like us you can work with home,” is something he hears way too fore sending the card data to a processor. for a fixed monthly fee,” he says. Besides often. If you don’t require and enforce “But the merchant location is still part of the cost of hiring and hardware involved education, he says, “You’re asking for the attack surface,” he says. In the discussion about PCI compli- in doing it in-house, there’s trouble and should not be also the burden of mainte- surprised when it happens.” ance, says Martin, it’s common for a very Another tip: give each important distinction to be lost. “Compli- nance and around-the-clock employee their own ID to ance is something you do for the audits. monitoring. access your system. Other- Security is something you do to protect Franchisors and fran- wise, if an event occurs you your brand, your franchisees, and your chisees, he says, should be can’t tell who was involved. customers.” particularly receptive to the Another reason to do the encryption idea of standardization in Securing credit card data at the terminal is that the security con- the context of security. If “In my experience, franchi- figurations of the terminals are controlled you take the same approach sors have different models in remotely so franchisees can’t change them. to your security as you do how they push out technol- And the gold standard for encryption is a the your operations manual, John Christly ogy to their franchisees,” says PCI Point-to-Point Encryption (P2PE) store design, uniforms, and food, he says, it should be a no-brainer Robert Martin, vice president of security solution. And there’s a benefit that franchisees to understand why this is so important solutions at Ingenico Group, a Paris-based company that supplies technology for se- have to love: compliance becomes signifi- to the brand as a whole. Best practices for system-wide secu- cure electronic transactions. In the past cantly easier. Instead of having to answer rity, he says, should see every site have its some would require their franchisees to several hundred “questions of joy” on the firewall set up by the same company, its accept credit cards but not specify how. PCI SAQ, franchisees are faced with just computers all a certain brand, etc. Also, Others would say, “This is the technol- a few dozen. Then there’s the question of securing he adds, it’s extremely efficient to run ogy package you must use and must order stored cardholder data. This allows cus- standardized operations—and if things it from us.” Martin says the latter model is the one tomers the convenience of quick and easy go wrong, this makes it easier for audi- that should be pursued. The benefit of tak- ordering. Think Pizza Hut, for example, tors or forensic investigators. which even stores custom- Even doing all these things and more ing away some of the choice is no guarantee. “Does this mean I can’t and flexibility, he says, is that ers’ favorite pies, saving time be hacked?” he says. “No, unfortunately. it protects the brand—which on both ends of the trans- Anyone can be hacked.” is the job of the franchisor. action. That data, explains Martin, is protected through Another important tip: grill your ven- When a breach happens, he “tokenization.” Rather than dor about their security practices. “Ven- says, “It’s the franchisor’s encrypting the data each dors can be really good at installation, brand. Nobody cares who time before sending it, a but don’t know a thing about security,” the franchisee is.” What’s important in pro- customer’s purchasing data he says, and will leave a back door open, is stored remotely at a “to- or leave the password as “ad tݡѕѥѡɕЁɐф)مձӊt́)ѡeɔqQӊé܁ѡɥ䁥́ɕ٥ѡ́)͕ɥ)х́ͅ5ѥ%ѡ)ɕ́t)IЁ5ѥ)ɑȁѡɽ՝)!́ѡɕѥ́ȁɅͽ(́QɝЁɕݡ(Ĥ%ٕѽ丁Q́́A $ɕեɔѕɽ՝ɑ́٥ȁхɕձ́)аѼхٕѽ䁽ݥɕ́ɕձѕ䁵͕ѱаѽ͕ЁѼѡ͕ɥ)̰́ѕ̰UMѥ́ɥ́х͍Ʌ́Ёѕݡɔѡф́ѽɕѡɔ)ѡЁͅѼѕɕЁɐф́ѡЁЁݡɔqѽ)A=LԁeЁЁѡɔь)Q݅ѼɕٕЁѡа́ͅ5ѥѥt́ɔѡф͕́ЁѼ(Ȥѥ٥́ͽ݅ɔQ́͡ձ)ѕ䁡̸ͅЁх́́Ѽ͕Ё́ѼЁͼѡɔ́ɕЁɐ嵕ЁɐɽͽȸY͔)ЁѼѽѥ七qQٕ́́䁑фݥqѡˊtչѕɔ鄁ٕɕѼȁȄq)хЁɔ͕ɥ䁙ɔ䃊q]ӊéхЁȁɅͽ́́ѡЁɅͽȁѡЁ́ɑɥ)ȁ]̳t̸ͅ ɥѱ䰁ݡѡɕեɔѕѡЁ́Ёѡ٥ѽѥѕ́Ё)ɵȁ݅́ѕȁɕͥЁѡɐЁѡѕɵtQЁѡȁɅѕ䁥ٕ́䁝)ٕѥѽȰ́ͅͅ܁Ёѥ٥́ѕɵ̰͡ͅձЁѡݕȁȁɽѕѥѡɑȁфt)ٕ͕ɥхɑ́ѡЁٔ́ͅ5ѥ)ͽ݅ɔɕ($)Ʌ͕є%MLT%$ȀĀ