Multi-Unit Franchisee Magazine Issue IV, 2012 | Page 72
Security
By Gary Glover
Time To Own Up
Who is really responsible for network security?
A
n overwhelming number
of franchisees are perplexed
about network security ownership and responsibility—especially when it comes time to pay for a data
compromise. Many incorrectly assume the
franchisor or franchisee-appointed thirdparty IT company manages all aspects
of their security, including adherence to
Payment Card Industry (PCI) compliance.
Generally speaking, this confusion stems
from unclear delegation of security obligations between franchisors and franchisees.
This leads franchisees to make assumptions
concerning who is ultimately responsible
to ensure their PCI compliance is fulfilled,
and who is liable in the event of a breach.
• Who is responsible for your security?
In every arrangement but one, the franchisee is wholly responsible and liable for its
security. Franchisor-controlled scenarios
are the outliers, and in these situations the
franchisor completely regulates and monitors each franchisee payment network from
a single corporate location. In this setting,
the franchisor typically delivers, sets up,
and supports all franchisee systems. In
every other situation, the franchisee is responsible. Even if a franchisee outsources
its security systems to hotel management
or IT companies, the franchisee is 100
percent responsible, especially for the actions of its employees who handle patron
credit cards.
• Franchises on hackers’ “most wanted” lists. Our forensic investigations find
that hackers choose to attack franchiseoperated hotels, restaurants, and retail
locations because many do not understand
how to protect their business network. PCI
Data Security Standards (DSS) are payment card industry regulations required
of any business or franchise that processes,
stores, or transmits cardholder data. PCI
DSS compliance helps franchisors and
franchisees better protect their business
from data breaches that may result in debilitating fines, damaging news stories, loss
70
Multi-Unit Franchisee Is s ue i v, 2012
of customers, and revenue deterioration.
• Security outsourcing: here be
dragons. If a franchisee or a third party
manages a POS system, it is wise to assume
not all aspects of security are being handled
correctly. Many franchisees rely heavily on
third parties to complete security requirements, but many IT companies, POS vendors, and hosting providers don’t know the
extent of PCI compliance. In fact, about
30 percent of data breaches we investigate
have been caused by a third party’s insecure
remote access. In defense of these hired
organizations, IT companies offer most
services that enable secure systems and
compliance to PCI DSS standards. The
problem is that many franchisees choose
substandard security that doesn’t include
the security services and products that
would help them meet PCI requirements
and adequately secure their business.
Top 10 ways franchises are
hacked
As a franchisor or franchisee, ask yourself the following 10 questions. You may
not know the answer to each, but it’s important to identify who is responsible for
each. Remember, in nearly all cases, the
franchisee is the liable party if a data compromise occurs.
1. What type of firewall do you have?
Does it restrict outbound and inbound
traffic?
2. Do you require complex alphanumeric passwords? Does each network user
have a unique username?
3. Is internal risk assessment performed
on a regular basis (anti-virus, internal vulnerability scanning, internal penetration
testing, file integrity monitoring, intrusion
detection/prevention)?
4. Is external risk assessment performed
on a regular basis (vulnerability scanning, penetration testing, wireless rogue
detection)?
5. Do you store cardholder data? Is it
encrypted?
6. Do you employ third parties that
process, handle, transmit, or store cardholder data?
7. Is your payment server segmented
from a public environment?
8. Is your current payment application
PA-DSS certified?
9. What types of policies and security
training do your employees have?
10. What are your systems for updating computer software?
This list is merely a sample of all PCI
requirements your franchise is required to
comply with. The easiest approach to discover
who should manage specific security aspects
is to download the PCI Self-Assessment
Questionnaire D (SAQ-D) from the PCI
SSC website (www.pcisecuritystandards.
org/security_standards/documents.php).
Then assign each of the 288 self-assessment
items to the appropriate party you believe
should be responsible for addressing each
requirement (IT group, franchisor, hotel
management group, yourself). Once the list
is complete, verify each assigned responsibility with the suitable party and ensure they
fulfill that requirement by formally defining responsibilities in a written document.
If yo u are breached because of third-party
negligence, you can use these records to
recoup any losses you might sustain.
Get help
Most franchises don’t consider how third
parties such as booking agencies, POS
vendors, and management groups could be
exploited by criminals and expose customer
data. It’s in your best interest to enlist the
assistance of an independent organization
whose core competency is security, such
as a Qualified Security Assessor (QSA),
to help you understand who should address individual security requirements. Let
them help you ask the right questions to
see which PCI requirements have yet to
be met at your business.
Gary Glover is QSA director
for SecurityMetrics. To learn
more about your security responsibilities as a franchisor,
franchisee, third party, or business owner, please call 801-705-5656 or email
[email protected].