Bill wrote in and asked the PCI DSS Guru this question:

We are a franchiser. The typical franchisee is a small store with 2 registers and a back office computer. They are having a difficult time with PCI compliance, mostly due to the store owner’s lack of knowledge of PCI, an unwillingness to budget sufficient funds to attain and maintain PCI compliance, and a lackadaisical attitude. 

Since these stores will never be PCI compliant, we have suggested that they take an approach that will protect themselves as much as possible. Our advice is to stop using the POS software to process credit cards, and switch to the terminals supplied by their processors. This would take their POS system out of scope entirely, and severely reduce the possibility of a keylogger type of attack. At that point, we believe their only PCI compliance issues would be protecting the terminals and how they handle credit cards that are phoned in and written down. We are getting a lot of push back from the stores that this would be a step backwards. 

Are we on the right track? Is there a better approach to handling people who simply can’t or won’t do what’s necessary to attain and maintain compliance?

Bill, I think that you’re definitely on the right track here.  I have a few specific pieces of advice that may help guide your PCI compliance efforts.

First, I would carefully consider how you have your merchant accounts structured.  Does each franchisee have a direct relationship with the bank?  This would be ideal, as the liability then rests with the franchisee to be PCI compliant.  If the franchisees are reluctant to comply and you don’t have the authority to make them comply, then you certainly don’t want to accept responsibility for their compliance!

Second, have you considered a point-to-point encryption (P2PE) solution? If the credit cards numbers are encrypted at the time of swipe and the merchant never has electronic access to them, the franchisees may be eligible to complete the abbreviated P2PE SAQ.  Quoting from that document:

SAQ P2PE-HW merchants may be either brick-and-mortar (card present) or mail/telephone-order (card not present) merchants.  For example, a mail/telephone-order merchant could be eligible for SAQ P2PE if they receive cardholder data on paper or over a telephone, and key it directly and only into a validated P2PE hardware device.”

Whatever approach you take, you should work to provide merchants with a solid path toward compliance.  In my mind, you’re responsible for guiding them to water, but you can’t make them drink.  Once you’ve outlined the path to compliance, it’s on them to step up and meet their contractual obligation.