Fireworks on the 4th, Grandma’s apple pie, and a soft-serve cone from Dairy Queen – doesn’t get more American than that. Brian Krebs reported yesterday that we may be facing yet ANOTHER data breach, this time at DQ, and if that’s the case, it goes beyond highlighting the security problems of our payment systems and to the way that our systems are managed, especially at the franchise/franchisee level. Yes, we need P2PE, EMV and tokenization, but let’s think about implementing autonomous decision-making across organizations when it comes to something as important – and lately, AS VULNERABLE – as consumer payments.
Brian Krebs posted yesterday on his blog,
- “Sources in the financial industry say they’re seeing signs that Dairy Queen may be the latest retail chain to be victimized by cybercrooks bent on stealing credit and debit card data. Dairy Queen says it has no indication of a card breach at any of its thousands of locations,
but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters
Julie Conroy, research director at Aite Group, also commented in the article, saying that nationwide companies like Dairy Queen should absolutely have breach notification policies in place for franchisees:
- ‘“Without question this is a brand protection issue,” Conroy said. “This goes back to the eternal challenge with all small merchants.
Even with companies like Dairy Queen, where the mother ship is huge, each of the individual establishments are essentially mom-and-pop stores, and a lot of these stores still don’t think they’re a target for this type of fraud
- . By extension, the mother ship is focused on herding a bunch of cats in the form of thousands of franchisees, and they’re not thinking that all of these stores are targets for cybercriminals and that they should have some sort of company-wide policy about it. In fact, franchised brands that have that sort of policy in place are far more the exception than the rule.”’
We’re starting to wonder if it’s going to come down to consumer action in order to get companies to strengthen their security – whether they boycott the stores or shift over to cash. It’s certainly not out of the realm of possibility as this keeps happening, especially with franchises. Kevin Keane’s blog on the 23rd highlights the reality of how much of our everyday shopping and business is done with a franchise:
“A large part of everyday commerce flows through franchised locations.
- Where did you buy Pizza or Tacos or Sub sandwiches for lunch yesterday?
- What hotel chain did you stay in for the last holiday?
- Where do most guys (and kids) get their haircuts?
- What oil change business do you frequent?
- Where did you buy the balloons for Little Susie’s birthday bash?
- What tax preparation service do you use?
- Where do you work out, or at least go to admire those who do break a sweat?
- What drug store fills your family prescriptions?
- Where do you get your dry-cleaning done?
In each example and in so many more parts of life, it likely happens in a franchised location.”
This possible DQ breach will bring up a whole new debate about national companies operating as individual entities – and making their own decisions about security and payments. Bluefin serves several franchises so we understand their structure. Our advice is always to mandate payment security technologies like point-to-point encryption (P2PE) throughout the organization, meaning in each franchise. If payment security is not mandated from the top-down in U.S. companies – well, then it’s going to be you and me and every consumer suffering.