Todd Michaud, a 16-year IT expert who has worked with franchisors Dunkin’ and Focus Brands, writes about the conundrum that franchisors are in when it comes to implementing PCI (payment card industry) data security solutions. Think of what happens when customer financial information is lost or hacked.

Every franchisor organization I know is struggling with PCI compliance. There seems to be a universal debate over how involved a franchisor should be, and what legal liability an organization assumes as a result of that involvement. If the franchisor pushes off PCI responsibility (“Hey Mrs. Franchisee, PCI is your problem, not ours.”), then it runs the risk of brand reputation/image issues as the result of a breach at a franchised location due to little or no information security. On the other hand, while getting more involved with PCI compliance may reduce the brand reputation/image risk, it increases the legal liability (“I implemented the system that you told me to. If I’m in trouble, then you are too.”).  - from Evan Schuman’s StorefrontBacktalk

I think a little change would do a world of good.

Structural Mismatch: The problem is that the system's governance doesn't quite fit the situation. There is a mismatch of liability for the franchisor and anarchy if left to individual franchisees. Franchisors tend to use traditional corporate top-down structures to manage a pool of independent business entrepreneurs. So this can be a tough impass. 

Independent Franchisee Associations Can Help: Franchisors should give PCI decisions to an elected franchisee collective, an independent franchisee council. The franchisor's IT experts would report, advise and serve the group.

Having a franchisee-led IT council is good for both franchisor and franchise owner-operators. Here’s a few reasons why.

1. It roots PCI solutions into real front-line operational needs. (Some franchisors, particularly those without company-owned stores, can get walled into an ivory tower, implementing bad PCI solutions for store franchises)
2. It  minimizes the franchisor's liabilities
3. It ensures the brand has a consistent standard
4. It provides better buy-in from the franchisee community
5. It can reduce a franchisor's overhead
6. It challenges franchisee representatives to think system-wide like a franchisor does. That translates to better satisfaction for franchisees. That raises the business skill level of the talent pool of franchisees, and the brand

Win-Win: PCI decisions are an opportunity for independent franchisee associations to take the bull by the horns and engage the franchisor. After all, franchise systems have a history of parceling out responsibility to independent franchisee organizations, where the council's orders are binding for both franchisor and franchisees. For example, Dunkin’ Donuts franchisees cooperatively control the system’s distribution and supply chain, not the franchisor.  An independent council of KFC franchisees create, manage and decide on national advertising, not the franchisor.

Visa, American Express and others can work directly with the franchisee board. The franchisor would have a minority voice at the decision table, but be able to help establish guidelines of what the network needed.

A word of caution: If board members are chosen by the franchisor, then these are essentially agents for the franchisor. That increases the franchisor’s liability. Even more so if the council is set up to just advise the franchisor.