How franchises can ensure data safety

Staying ahead of data security threats is hard enough, as seen in high-profile hacks of credit card numbers from Target and Home Depot the past few months, but it is a different challenge altogether in franchising, when parent companies and their franchisees share responsibility for ensuring safe transactions across all a brand’s locations. “It’s one thing to enforce compliance and security on the enterprise level for the corporate system, but unless the franchisor has complete control of the infrastructure, the franchisee is responsible for compliance, which is incredibly hard to manage,” said Matt Dwyer, vice president of products and strategic client relations for FranConnect. “We want the business owner to be a business owner, not also a tech expert on top of that.” Consumers want all their data accessible at any time, anywhere and on any device, but that also creates more points where brands have to limit bad actors’ access to that same data, he said. Fortunately, current and forthcoming technologies are helping retailers handle new threats, he added. Dwyer gave 1851 Magazine the following tips for franchise brands to keep in mind when addressing their data security: Look to the cloud Dwyer noted that hacking of non-franchised brands like Target and Home Depot show that all brands must focus on data security, even if they operate all company-owned stores. The key is to make sure payment info and credit card numbers do not get stored at the unit level, he said. “Brands need to get away from the business of having to store and manage credit card data and put it into the hands of experts,” he said, noting that FranConnect has a cloud-based system that manages a franchise brands data on off-site servers. “Some of our senior-care provider clients can oversee all their client information, including Social Security numbers or HIPAA information, and they can track and restrict who accesses it.” Train and staff up appropriately The training of a brand’s people is crucial to data security, Dwyer added, noting that HIPAA information a senior-care franchise would need to manage could be particularly sensitive and reverberate across all business decisions. “You need to educate every member of your organization about the significance of data like that, and you have to have a compliance officer involved in business decisions,” he said. “When we work with very IT-savvy organizations, every decision they make, they ask, ‘How does this affect PCI compliance or HIPAA?’ Having somebody assigned to that compliance helps.” Embrace new NFC methods More retail brands have developed their own smartphone apps with features like mobile pay and mobile loyalty, and they have taken major steps to make those apps more secure. Brands like Your Pie, Starbucks Coffee and Protein Bar, for instance, use branded apps that let smartphones communicate with special near-field communication readers attached to the cash register. When users enter their payment information into the app one time, it produces a special QR code the user can use to pay by holding it to the NFC reader rather than using a credit card. Dwyer said Apple’s announcement of Apple Pay, an NFC system on the iPhone 6 that lets consumers pay with the wave of a smartphone, is most beneficial for retailers from the standpoint of its data security. Like other apps, Apple Pay lets consumers link their bank accounts to their phones by entering or scanning a credit or debit card. Importantly, however, the app does not save that account or card number and instead produces a unique code that a user may give to a merchant to draw money from the account. Transactions remain secure if the person using the account-linked phone is the rightful owner of the smartphone. Apple’s security would go further by requiring the user to activate the TouchID, which verifies rightful ownership of the phone by scanning a person’s fingerprint. “Apple is trying to remove personal info and get more to person-based authentication, which is the right way to be going,” Dwyer said. “For franchise retail brands, it’s something they should look at supporting as soon as possible, so that they don’t have sensitive numbers store in their infrastructure.” Work with payment processors Though they do not have the same flash and cool factor as NFC from Apple Pay or QR codes, a major innovation coming soon to safeguard payment data are debit and credit cards with embedded “EMV” chips that authenticate users’ identities and prevent fraud. Major payment processors like American Express have begun to roll out these “smart cards,” but “there’s been some foot-dragging on the retailer side” investing in the technology needed to support them, Dwyer said. “It’s not quite cool enough a tech leap to be on board with EMV chips right now,” Dwyer said. “But if processors are asking you to do additional things, like require ZIP codes for purchases or support EMV, they often offer better terms on their transaction fees, so there are incentives to move that way.”