The enforcement of PCI compliance can be difficult for franchisors to navigate who are looking to establish cooperation across their franchise system.
In the webinar, "How much is your brand reputation worth? The cost of PCI compliance," presented by FastCasual.com and VendorSafe, Brad Cyprus discusses the various alternatives franchisors have for ensuring PCI compliance across their chain.
Cyprus is joined by Vincent Burchianti, chief financial officer for Firehouse Subs. During his presentation, Burchianti provided details into the method implemented by Firehouse Subs, its adoption rate among franchisees and its impact on the system.
Cyprus first highlighted three methods operators have used to enforce compliance: the hands off approach, solution recommendation approach and the solution-provider approach.
The first approach is "the hands off approach" in which no guidance is provided to franchisees within the system. While franchisors may provide a date in which franchisees need to be compliant, little else is offered and often, franchisees don't know what's required from them.
Cyprus said there are several pros and cons in reference to the hands off approach.
Pros include the approach means the least amount of effort for franchisors, a limited direct liability to franchisors since no direct solution is suggested and a mandated compliance that will work within almost any operating agreement.
On the negative, the hands off approach puts a large burden on franchisees, any franchisor civil liabilities will only be mitigated rather than eliminated and it has the lowest adoption rate among franchisees when compared to other methods.
Cyprus said less than 10 percent of franchisees in systems that adopt this method implement PCI-compliant solutions.
"Franchisees basically won't know what to do, so they're not going to do anything," he said.
While the adoption rate of PCI-compliant solutions is higher in franchise systems that recommend a solution, franchisees and their parent company must both put in increased effort. It requires a time and marketing commitment from the franchisor and franchisees have to be willing to do the work necessary for the program.
This approach still allows for franchisees to implement their own solution, yet franchisors can mandate a PCI-compliance date and, when practical, they can include a specific threat if compliance is not met within the given timeframe.
Cyprus said this approach has a 25 percent to 50 percent adoption rate among franchisees.
"Because the security of locations is better, the chance of a breach goes down and that's really what you're trying to avoid. You want to avoid the public embarrassment of credit cards being stolen at a location for the simple fact that that has the greatest ramification," Cyprus said. "Whether or not they're able to be completely compliant, or whether or not they're able to mitigate all of the risk, well that's arguable. But it is much better to be mostly compliant, or it is much better to have good security in place than to do nothing and hold your hands up in the air and hope that nothing happens."
Provide a solution
The highest adoption rate among franchise systems is the method in which franchisors actually provide a solution to their franchise partners.
While the cost to do so is high, Cyprus said this method is the best chance operators have to reduce their risk of a data breach. It also has the highest level of increased security across the franchise base and an 85 percent to 100 percent adoption rate.
However, franchisors have direct responsibility if a data breach occurs and they also must have the ability to mandate compliance in their operations agreement.
"Quite honestly, you might upset franchisees. Nobody likes to be forced to do anything. Nobody likes to be told what they must do; however, you have to weigh that against protecting the brand," Cyprus said.
Click here to download the presentation and to hear which method was successfully adopted by Firehouse Subs.
Read more about operations management.