09-12-12 | Blog Post
Visa.com has provided a Payment System Security Best Practices for Franchises document; a security overview touching on many valuable tips for franchise businesses looking to minimize data breach risks. Visa’s strategy aligns PCI DSS compliance standards with five major areas of risk found in franchises:
One way to stay within PCI DSS boundaries is to understand what kind of data is off-limits for storage. Magnetic stripe, CVV2 and PIN data are all prohibited. Visa recommends franchisors and franchisees do their homework and choose a payment application that won’t store additional data without their knowledge.
Visa developed a document, Payment Application Best Practices (PABP) as a guideline for franchise businesses to follow – one recommendation is to use payment apps that have been validated against their PABP. They also recommend asking your vendors about what type of information they store, and checking with a merchant acquiring bank, (the bank that processes credit statements directly; also known as an acquirer or merchant bank), for a list of apps that may have vulnerabilities. These apps could be fixed with updates or patches, but if updating, the historical, prohibited stored data has to be wiped immediately.
With an insecure network, many franchises may be at risk to be a target of hackers due to brand recognition and knowledge of a large amount of online transactions, according to Visa. PCI compliant hosting may help franchises outsource their network security to ensure a high availability and reliable system; provided their hosting provider is able to attest they meet all of the PCI compliant standards. Seeking a quality hosting provider? Read 8 Questions to Ask Your PCI Hosting Provider and Transparency with PCI Hosting Providers: Not Always Included for tips on what to look for and questions to ask.
Visa recommends mandating IP-based POS (Point of Sale) systems for all franchisees, hardware firewalls, logging/audit trails and strong access controls. Online Tech recommends high availability (HA), redundant firewalls, routers, Internet Service Providers (ISPs), two-factor authentication for remote access, web application firewall (WAF) and SSL certificates. For more details and diagrams, as well as a list of secure server and data center requirements, sign up to read our PCI Compliant Hosting white paper (it’s free!).
Remote management applications (RMAs) are used by corporate franchise businesses to distribute materials and communicate with their franchise community. Some franchisees may establish their own RMAs, and even grant vendors access to service their POS systems, according to Visa. While convenient, RMAs can open up another point of entry for hackers if not secured and configured properly.
Visa recommends changing all default settings set by vendors and creating unique user IDs and complex passwords, a requirement of PCI. Configuring the system to allow connections from only known IPs, or configuring to allow VPNs (Virtual Private Network) remote access before access is granted can also help secure a RMA.
Two-factor authentication can provide an additional layer of security when users connect via VPN remotely. Online Tech’s method includes 1) Username/password; 2) Verification via text, passcode, one-button push or voice authentication using a mobile device.
Visa acknowledges that while franchises and franchisees are bound by three or five year contract agreements, they should also reevaluate at time of renewal to judge whether or not they have achieved adequate data security with their vendors.
Franchises and franchisees should also amend their contracts to included updated data security policies that align with the PCI DSS standards. As your PCI hosting provider, Online Tech has documented security policies and audited staff, PCI compliant data centers and solutions.
Visa also recommends that franchisors expand their training programs to include cardholder data security awareness, and to include a incident response plan. PCI DSS mandates merchants establish, document and distribute procedures on behalf of an incident response plan (12.9). An incident response plan include disaster recovery, offsite backup and more. Find out more by reading Disaster Recovery and Backup with PCI Hosting Providers.