The PCI DSS, Chaining and the Franchise Relationship

My colleagues and I are often asked, “Where does the responsibility for compliance fall when a compliant service provider shares consumer data with a non-compliant third party?

This is an interesting question and one that could change how hotels and franchisors in particular achieve and maintain Payment Card Industry Compliance in the future.

The transfer of card data from the consumer to multiple parties is called “Chaining” and will no doubt be the subject of great debate in the coming year. The risks chaining presents to consumers and the implications to franchisors and franchised entities will make it a hot bed topic.

Let’s start the discussion using the hospitality industry as a case study, focusing on how cardholder data moves between entities that maintain varying levels of compliance.

The hotel industry has taken the position that they are not involved with and bear no responsibility for the compliance of independent hotels. The party line is that, “franchised hotels are independently owned and operated and as such are responsible for attaining and maintaining their own compliance.”

As a compliance professional, I disagree with this position and will explain why the stance is weak at best.

The PCI Security Standards Council recently released its “THIRD-PARTY SECURITY ASSURANCE GUIDANCE.” The purpose of the document is to help organizations and their business partners reduce risk by better understanding their respective roles in the securing of card data. While the wording in the document is specific to Service Providers, the risks and responsibilities are no different in the franchisee/franchisor arena.

I submit that brands must acknowledge joint responsibility for the protection of consumer data from the point of data collection, be it via the brand website or call centers to the completion of the stay and the transmission of data back to the central reservation systems. If systems located at the hotel are connected to the brand’s central reservations system, then the argument is made that they are in scope. Connected systems that process, store or transmit cardholder data are always in scope.

No one disputes that a service provider is obligated to secure systems that process, store or transmit cardholder data. Material systems are routinely “audited” by third party assessors and a successful assessment culminates in the filing of the Report on Compliance.

The breakdown in “chaining” is the point where the brand transmits reservation information, including personally identifiable information and cardholder data to non-compliant franchised hotels. Research conducted by PrivacyAtlas reveals 92% of independently owned and operated hotels are not compliant with the PCI DSS and lack any meaningful Data Security and Data Privacy programs. Therefore, the brand knowingly transmits cardholder data to non-compliant partners without the consent of the consumer.

Doesn’t the brand have an obligation to ensure data they accept on behalf of the consumer remains secure? When a brand advertises their PCI Compliance isn’t the consumer led to believe the transaction stream is secure from end to end?

I interpret the relationship between the franchisee and franchisor to be a third-party relationship and therefore one that must be protected in accordance with the THIRD-PARTY SECURITY ASSURANCE GUIDANCE.

Based on the Council document and the above interpretation of the Franchise/Franchisor relationship, I believe that the brand and property share culpability and therefore must take the following measures to ensure cardholder data is protected.

We can easily substitute Franchise for Third Party in each of the recommendations below.

• Conduct due diligence and risk assessment when engaging third party service providers to help organizations understand the services provided and how PCI DSS requirements will be met for those services.
• Implement a consistent process for engaging third-parties that includes setting expectations, establishing a communication plan, and mapping third-party services and responsibilities to applicable PCI DSS requirements.
• Develop appropriate agreements, policies and procedures with third-party service providers that include considerations for the most common issues that arise in this type of relationship.
• Implement an ongoing process for maintaining and managing third-party relationships throughout the lifetime of the engagement, including the development of a robust monitoring program

The guidance includes high-level suggestions and discussion points for clarifying how responsibilities for PCI DSS requirements may be shared between an entity and its third-party service provider (in this case, franchisor and franchisee), as well as a sample PCI DSS responsibility matrix that can assist in determining who will be responsible for each specific control area.

The official announcement of the guidance document quotes Bob Russo, a ranking official within the PCI Council, urging shared responsibility: “One of the big focus areas in PCI DSS 3.0 is security as a shared responsibility,” said Bob Russo, PCI SSC General Manager. “This guidance is an excellent companion document to the standard in helping merchants and their business partners work together to protect consumers’ valuable payment information.”

Nowhere does the document suggest that service providers distance themselves from the non-compliant merchant. How can hotel franchises, when these entities share connected systems for bookings and support? Franchisors cannot in good conscience ignore the property knowing full well that the merchant doesn’t have a meaningful data security or data privacy programs in place. The merchant hasn’t a clue how to maintain their systems in a compliant manner, conduct vulnerability scans as indicated in the standards, or even report data leakage appropriately.

I would like to see the hotel brands step up and take accountability starting today. With the cooperation of the Council, Card Brands and Acquirers, we can make clear the lines of responsibility that improve consumer protection.