Bruce Schneier’s blog tipped me off to this article on how hackers used point-of-sale software to collect card numbers at Subway franchises and ring up over $3 million in fraudulent charges. The franchisees were blamed for ignoring Subway’s security policy, but I’m not sure that’s right.
The breach essentially came down to franchisees using remote desktop access software to access their POS systems. In doing so, they violated Subway’s security and POS configuration policy mandating point-to-point encryption. They also failed the PCI Data Security Standard, which requires two-factor authentication for remote access to POS systems. Subway’s stance is, we have a policy to prevent this kind of thing, you didn’t follow the policy and look what happened.
But let me present a different perspective. At one of my former employers, we worked with hundreds of small business owners, some of which were Subway franchisees. They are concerned about supplies and inventory, pricing and advertising, margins and labor, finding new customers and more. Is payment card processing one of those concerns? Sure, but only in the sense that they want it up and running as quickly as possible, for as small a transaction fee as possible. I’d be willing to bet that few if any have even a basic understanding of point-to-point encryption or two-factor authentication.
My point is, they shouldn’t have to. Even in the simplified graphic above, it’s not clear how data is encrypted, only that it should be. I’ve heard the franchisee’s lament dozens of times. “I don’t care what [insert security term here] is, just tell me what to do so I don’t get into trouble.”
Yes, they should follow the guidelines put out by Subway. The same is true for those put out by the POS vendor. But what if those guidelines require an understanding of security technology that goes well beyond the average small business owner? It’s unreasonable to expect franchisees to know about point-to-point encryption or two-factor authentication.
We need to find some middle ground. Perhaps franchisers and POS vendors could share in the responsibility by providing better training on how to meet security policies, both during the setup and on an ongoing basis. It protects the profitability of the franchisees, which benefits everyone in the long run.