Digital Transactions Authoritative, insightful and timely information for payments professionals
News of a possible card-data breach at chicken-sandwich chain Chick-fil-A caps a year that saw a number of franchised businesses compromised and throws into relief what some experts say is the unique security vulnerability of the franchise business model.
Franchised chains, in which so-called owner-operators run stores under a license from the franchisor, often rely on the parent organization to provide point-of-sale payment systems, these experts say. That means that once criminals crack the code at one location, they can replicate their attack across multiple stores. This vulnerability is particularly dangerous in cases where systems are misconfigured to begin with.
In some cases, franchisees turn to independent vendors to supply point-of-sale services, but this can place the stores at a disadvantage if the provider’s system relies on simple passwords or otherwise fails to comply with industry standards such as the Payment Card Industry data-security standard (PCI).
As a result, franchised stores “are definitely on the radar from a hacker’s perspective,” Kristyan Mjolsnes, a director at Chicago-based security-solutions vendor Trustwave Holdings Inc., tells Digital Transactions News. By comparison with other small businesses, franchised locations, indeed, appear to be especially appealing to criminals. “Franchises in particular have unique characteristics that put them at a greater risk for breach,” says Steve Robb, a senior vice president at ControlScan Inc., an Alpharetta, Ga.-based security firm, in an email message.
That vulnerability became particularly apparent in a rash of compromises last year. Though data on what proportion of all breaches franchised businesses account for is hard to come by, 2014 saw a string of such organizations fall victim to hackers. Some of the better-known names included Dairy Queen, Jimmy John’s, Goodwill, and UPS Store.
As of Tuesday, Chick-fil-A had not confirmed a breach. But a statement it posted on its Web site Jan. 2 says the company is investigating reports of “potentially unusual activity involving payment cards” at what it calls “a few” of its 1,850 stores. The first such report came to the company’s attention Dec. 19, the post says.
The KrebsOnSecurity blog, which often breaks news about data breaches, says several financial institutions have reported suspicious activity on cards used at Chick-fil-A restaurants in various parts of the country. Most of the fraud has apparently been related to stores in Georgia, Maryland, Pennsylvania, Texas, and Virginia, the news service says.
What puts franchised chains most at risk is their high reliance on credit and debit cards for payment, coupled with their use of common payments systems mandated by the franchisor. “We’re finding it’s more common that organizations are trying to have standardized systems,” notes Mjolsnes. “It’s easier and more efficient.”
But once hackers have figured out how to invade the point of sale at one location, this very standardization can give them entrée to other stores in the system. Nor is it easy to figure out which link in the chain was targeted first. In a report it issued in 2013, Trustwave says it found in 2012 that only in one-third of cases was the location initially investigated the place where the cascade of breaches started, a finding unique to franchise-breach investigations. The company investigated breaches involving hundreds of franchised locations that year, the report says.
Further complicating franchise security is that while franchisors can specify policies and procedures, they can’t ensure that local owner-operators follow them consistently, says ControlScan’s Robb. Moreover, chains become more vulnerable as they grow and add both stores and technologies. “More people and locations mean more points of potential failure from the human element, volume of transactions, and the various components (security cameras, energy-management systems, digital menu boards, etc.) attached to the network,” says Robb.
In the end, the greatest cost of a breach to franchised systems may not even lie in any liability to make good for actual theft from customers’ accounts. Franchisors can spend millions on building a national or regional brand, making a breach especially damaging not only for them but for local operators, as well. “What puts these franchises at greater risk is the brand equity that they share,” points out Mjolsnes. “The average consumer doesn’t distinguish between one location being breached and the brand as a whole.”
