Insecure networks accessible via the Internet are prime candidates for Internet attacks. Factors such as likelihood of sensitive data retention, transaction volume and brand recognition also make franchise networks attractive targets for compromise. To help mitigate the risk of network intrusions originating from the internet franchisors should implement appropriate POS perimeter controls and network security guidelines as prescribed by the PCI DSS. Franchisors should consider the following security practices:

• Mandate franchisees with IP based POS systems and / or broadband connection to install and maintain a stateful hardware firewall at all times. Underscore the consequence of disabling a firewall such as increased likelihood of internet attacks and potential system compromise as well as possible system failure.
• Require franchisees to enable firewall logging and maintain firewall logs for 60 days. These audit trails assist with reconstructing system events, help identify suspicious network activity and are instrumental in facilitating forensic investigations.
• Implement strong access controls. Access controls will help restrict inbound and outbound traffic on known ports to only traffic necessary for the cardholder data environment.

Remote Management Applications ("RMAs") are popular distribution channels amongst many franchise businesses. The ease of use and management across the franchisee platform can serve as an integral part of a franchise business. Many franchisors utilize corporate RMAs throughout their franchise community to disseminate business downloads, conduct sales polls or survey inventory. In addition, select franchisees may establish their own remote management accounts and through these accounts grant vendors remote access to facilitate servicing of the POS system. Consequently, if improperly configured the RMA creates a potential attack vector for hackers to exploit, leaving franchisees vulnerable to data compromise. To secure remote access consider implementing the following:

• Change vendor supplied default settings. Off the shelf RMAs are often packaged from vendors with default or blank passwords. The first step in securing the RMA should be to change the vendor-supplied default settings. By creating unique user IDs and complex passwords (preferably unique to each franchise location) franchisors that use corporate RMA accounts can reduce the risk of data compromise and help facilitate franchisee compliance with the PCI DSS. Franchisees that own and manage a separate account can also benefit from this practice.
• Configure the RMA to allow connections only from specific (known) IP / MAC addresses or configure the system so remote users must establish a Virtual Private Network ("VPN") connection via a firewall before access is granted.
• Turn on the franchisee’s modem only when needed for downloads from the franchisor or payment application vendor and turn off the modem immediately after downloads are complete. If the franchise business requires the modem configuration in the "always-on" mode, the franchisee and franchisor should consult with the RMA vendor on secure configuration setting for "always-on" mode connections.

Franchisors and franchisees are bound by the terms and conditions of their franchise agreements. As agreements are often renewed between three and five years and are subject to change, during the renewal period franchisors have an opportunity to amend franchisee contracts to include data security policies. By incorporating data security into the agreements, franchisors can incent franchisees to comply with the PCI DSS which reduces risk of data compromise and helps preserve the integrity of the franchise brand. Franchisors should consider reviewing and amending franchise contracts to include the PCI DSS fundamental security practices, which can be found at www.visa.com/cisp.

• Create or refine Standing Operating Procedures ("SOP"s). Many franchise businesses maintain operational policy through SOPs to provide operational directives to franchise businesses. Franchisors should amend these procedures to include cardholder data security practices as well as an incident response plan. These response plans should instruct franchisees on the steps required to report and contain a security breach or data compromise. To ensure the plan addresses specific industry mandates such as, immediately notifying merchant acquiring banks and Visa of the event, please visit www.visa.com/cisp and review Visa’s "What to do if Compromised" document.
• Direct franchisees to references that will provide practical security guidance. The Visa Cardholder Information Security Program (CISP) web site (www.visa.com/cisp) contains an array of security and compliance information, including security alerts and bulletins highlighting compromise trends.
• Use a secure automated communication channel, such as a corporate intranet, to distribute timely information such as announcements regarding payment applications used by franchises, data security alerts and training opportunities.
• Direct franchisees to attend data security training and education. Visa conducts Webinars to cover key security topics in addition to more detailed security training seminars. Franchisees should partner with their merchant acquirering banks to identify upcoming training events and registration requirements.