The report on reducing the costs of PCI compliance can be downloaded after providing some information about your company argues:
The major problem for a franchise system is who is responsible for PCI compliance? The franchisor doesn't want to get into the business of monitoring data breaches for fear of incurring unnecessary vicarious liability, but individual franchisees may pick solutions that undermine the network's security."It's a fact of life that the retailer's environment is just too complex to completely and constantly lockdown against all intruders. An organization may have hundreds or thousands of distributed store and distribution center locations, tens of thousands of employees, and multiple connected devices, systems and networks.Maintaining constant vigilance over every access point and every place where data is stored or transported is a challenge that will likely never be fully met. Many retail organizations are understandably frustrated that the millions of dollars invested in becoming PCI compliant does not protect them from the threat and the liability of a data breach."
It will difficult for the franchisor to demand PCI compliance when their franchise contract is somewhat vague on the what the franchisee has to do to maintain the required POS system.
Ideally, PCI vendors should be contacting the franchise system's franchise trade association to discuss how compliance might benefit most of the franchisees some of the time.
