This month Wendy’s revealed that the security breach it disclosed earlier this year was much larger than it initially reported. As most people know by now, Wendy’s originally announced that customer credit card data was stolen from approximately 300 Wendy’s locations. Wendy’s blamed a third-party point-of-sale (POS) provider used by some of its franchisees for the breach. It reported that hackers stole the credentials of personnel employed by a third-party vendor and used the credentials to gain access to certain franchisees’ POS systems. The hackers then installed malware that read the magnetic strip on credit and debit cards and sold the information to criminals. A class action lawsuit was filed by customers affected by the data breach against Wendy’s in February.
According to reports, hacking third-party providers is a very common way for criminals to gain access to a system. The question for a franchisor then becomes, “what can we do to prevent data breaches at the third-party provider level Unfortunately, when franchisees are left to choose their own POS vendor, they often do not have the resources to properly vet a provider. A franchisee may compare providers based on price and not have security as a top priority.
Many franchise systems are responding to this issue by moving to a single point of sale system. Wendy’s is migrating to a single system and the data breach did not affect locations in that system. Subway does not allow franchisees to shop for POS systems. Popeyes and Pizza Hut are also moving towards a single system. Pizza Hut’s CEO stated in April that they were moving from 9 POS systems down to one. Advocates for a single POS system structure argue that it is actually easier to protect one entry point for a good well-designed POS system vs. using many different POS systems. There are certainly other security improvements that will help in preventing data breaches, such as installing card readers that can handle transactions from more secure chip-based cards, which are far more expensive for thieves to clone. However, this may be the time for franchise systems to start considering the benefits of a single point of sale system if they have not done so already.