It’s estimated that the average total organizational cost for a data breach in the United States is $5.85 million dollars – and that number doesn’t even include the loss of invaluable customer trust and goodwill.
Consumer data, and its vulnerability to theft, has become a hot topic lately. On the December 3, 2014 episode of Franchise Today, host Paul Segreto talked data breaches and their increasing occurrence. The guests for the show were Tom Epstein and Lee Plave. Tom is the CEO of Franchise Payment Network, while Lee is a Partner at the law firm Plave Koch. Both have extensive experience in several aspects of technology usage in franchise situations, including legal issues.
The subject of consumer data security is deep and multi-faceted. We strongly recommend listening to this episode to learn more about this seemingly ever-changing issue. Here are some main points to take with you from the episode:
“The majority of the breaches taking place are not happening at the point where you swipe the card.”
Who works to put together rules and regulations in order to protect cardholder data and help ensure companies are PCI (Payment Card Industry) compliant?
Two of the major players are the PCI Security Council and the ETA (Electronic Transactions Association).
Protection might be made more difficult for franchises (compared to corporate entities) because of the more extensive networks and relative independence of the individual units.
“It’s about execution at the franchisee level in order to make your brand safe,” says Tom. “You’ve got some franchisees that are going to do everything you ask them to do, and you got some that aren’t, just frankly, going to be paying attention to it.” To demonstrate the challenge of keeping a franchise network compliant, he related this experience:
“One thing we see a lot is the franchisor will go to the vendor and ask if ‘is the point-of-sale software PCI compliant?’ Probably 99% of the point-of-sale guys are running PCI compliant point-of-sale systems. [However], what happens is every time there is a major breach, or major vulnerability, that’s discovered the point-of-sale guys have to go back and re-release new software versions in order to patch those breaches or vulnerabilities. And [then] what happens is franchisees sometimes don’t download the new version of the point-of-sale software because they think ‘the old one’s working why do I need to spend two or three hundred dollars to update it?’”
As the story demonstrates, it’s easy for the defenses of a franchise network to be weakened. In the example above, the entire system is made vulnerable because of those locations that didn’t update simply because they didn’t see how the updates fit into the larger picture. Instead they saw what they felt was an unnecessary cost.
So how do you manage the folks at that level that aren’t paying attention and aren’t doing everything that you want them to do? It’s about strong enforcement of the policies the franchisor has laid out. “It’s educating your field guys and girls to be going in and looking at what compliances are being done at the store level,” Tom says along with educating franchisees on why those policies are in place. “I like to look at PCI compliance, especially in the franchise environment, as a chain. If any one piece of that chain is not secure, or compliant, you’re in trouble.”
Data policies need to be tailored to the company’s industry. “Every franchisor ought to seriously consider how to approach [developing a data policy] with their company’s particular circumstances in mind,” says Lee. For example, “it’s different for a healthcare company than it is for a fast food company. It’s different for a company that is in the business of collecting data and using it for customer gifts than it is for another company that is in a more traditional form of retailing. Everyone has to contemplate it in their own context.”
Brand liability might be the biggest consequence of data breaches. As the saying goes, “you are your reputation.” That is especially true in a digital world where stories and experiences are shared instantly, potentially among millions. While legal ramifications are substantial, the loss of customer goodwill and the bad press that comes with data breaches may be the biggest blow companies would have to weather in the case of a data breach.
Where do we see most of the problems right now? Through the router.
What actions can be taken to minimize the risk of a data breach? Here are four tips for franchisors and franchisees:
- Router passwords should be changed on a regular basis (they should be changed for businesses every 90 days, according to Tom)
- Install a firewall between the point-of-sale system and other devices that use the network such as security cameras, customer Wi-Fi access, etc.
- Teach employees the proper way to handle credit/debit cards
- Make sure software is up-to-date at all locations
“It’s just simple things,” says Tom. “It just needs to be executed on.” Although there isn’t a way to be completely hack proof, if as close to, if not, 100% of locations are taking the necessary steps the franchise will be in good shape.
Again, this is a really good episode to listen to. There is also a good discussion on how new payment options such as Apple Pay could provide a higher level of consumer data security.