It’s no secret that data breaches on the rise. 2016 was a record year, with the Identity Theft Resource Center (ITRC) recording 1,093 breaches that involved more than 36 million consumer records.

Franchises are one of the most lucrative hacking targets. Dairy Queen, UPS, Goodwill, Wendy’s and Supervalu all have one thing in common – they are franchised companies that have been breached. The pattern in all of these cases was similar – hackers infiltrated the franchisee’s point of sale (POS) system via malicious software (malware) and found clear-text credit card data, which they then resold on the black market.

In 2016, Bluefin Payment Systems and Two Men and a Truck (TMT) partnered to provide TMT franchises mobile and office payment processing with Bluefin’s PCI-validated Point-to-Point Encryption (P2PE) solution, which is designed to secure credit card data through encryption in a PCI-approved P2PE payment terminal. Encrypting data within the device prevents clear-text cardholder data from reaching the franchise’s system or network where it could be exposed in the event of a data breach.

TMT – Payment Security Advocates from the Top Down

TMT was seeking a solution that would protect their customer’s credit card information. “We wanted to implement effective measures that were easy for the franchise to use but also easy for us to deploy – and that had high benefits for our customers,” said Jake Gaitan, Director of Information Technology for TMT.

TMT needed a payment security solution but they also wanted the flexibility of mobile processing. Drivers would call in credit card transactions to the main office, where a member of the staff would manually enter the information to run the transaction. Because the card was not present, the locations were being charged higher transaction fees. TMT estimates that savings from reduced fees have already saved corporate $18,000 – $20,000.

With a background in financial institution security, Jake understood the value of a PCI-validated P2PE solution. While TMT considered several P2PE providers, what sold them on Bluefin was the solution’s flexibility, simple deployment and customer support for their franchises.

Bluefin enabled TMT to deploy the PCI-validated P2PE and EMV-certified Nomad 2.0 Bluetooth mobile device with an android or iOS tablet, which allowed their drivers the ability to securely and conveniently collect payment at the time of service. TMT also deployed the ID Tech SREDKey keypad and swipe terminal to accept secure payments over the phone or in office payments.

The solution was introduced in fall 2016 and the company already has 45 franchises signed with over 300 mobile devices deployed.

The Franchise Point of View

One of the first TMT franchises to adopt the Bluefin P2PE solution was the Grand Rapids, Evansville and Bloomington locations, run by Rob Felcher, President of TMT Evansville, and Dan Pettit, Franchisee. Rob and Dan’s drivers would call in credit card information during business hours to process over the phone, or jot down the credit card number on the sales order and then input the information once they got into the office – which required them to shred each sales order and the sensitive card information.

“We realized that how we were taking cards could be opening us up to all the risks of having a breach, even internally,” said Rob.

In addition to a simple setup, the Grand Rapids and Evansville TMT locations have already completed the SAQ P2PE HW questionnaire, which took “15 minutes total,” said Rob Felcher, President. Franchises that implement Bluefin’s PCI-validated P2PE solution throughout their POS environment are eligible for the 33-question SAQ P2PE-HW – a significant reduction from the 329-question SAQ D.

The franchisees learned of the Bluefin P2PE solution at TMT’s fall annual meeting.

“What attracted us to the solution was not only the flexibility of deploying a secure mobile device with our drivers but also the significant reduction in PCI scope that our locations would see,” said Rob.

The solution was implemented approximately 5 months ago across Rob and Dan’s three franchises, with 26 Nomads and 7 SREDKeys. Like the TMT corporate location, the franchises have already saved a significant amount in processing fees and expect to save further from the decreased PCI requirements.

“One of the exciting things about TMT is the support from the family and the C level on technology initiatives,” said Jake. “We were pretty much able to do what we needed to do to get a PCI-validated P2PE solution in the hands of our franchisees that would not only provide greater security but bring a tremendous cost benefit to our locations.”