Franchising in the Electronic Age:
The Legal and Business Impact of Emerging Technologies
Ontario Region Legal Day, Canadian Franchise Association | March 2, 2011
Darrell Jarvis
Counsel
416 868 3530
[email protected]
VANCOUVER
CALGARY
Arun S. Krishnamurti
Articling Student
416 865 4353
[email protected]
TORONTO
OTTAWA
MONTRÉAL
QUÉBEC CITY
LONDON
PARIS
JOHANNESBURG
Introduction
This month, a Canadian franchisor, Swiss Chalet, launched its own television station, “the Rotisserie Channel”.
Rather than issuing a traditional press release, Swiss Chalet appears to have relied largely on social media to
disseminate information about the launch. Interestingly, the promotion then drew considerable attention from
mainstream media, including the Globe and Mail and CNN. Viewers of the Rotisserie Channel are encouraged to visit
Facebook and, armed with a code obtained from the television channel, download a customized coupon. There is no
question that franchise systems are operating in an electronic age that is constantly changing, with opportunities for
tremendous creativity and innovation. This also creates corresponding challenges for franchisors.
Social Media and Franchising
There is no denying that “social media” has become one of the biggest topics in business for the past few years. The
power of social media has been analyzed with regard to everything from its impact on online privacy to its power over
politics. A recent presentation to the American Bar Association notes that although the benefit of social media is
growing, the “potential challenges are also clear: Because the companies are not the only ones doing the talking,
they have less control over what is said about their products and services, increasing both the business risks and the
legal risks.”1
Liability for Claims
As noted above, although the business itself is not “doing the talking”, there is concern over the liability of the
business with regard to claims made on its behalf. For example, similarly to how a company is liable for claims made
by traditional spokespeople, if a business solicits a celebrity to advertise for it via a non-traditional medium such as
Twitter or Facebook, the business must be careful to ensure that the no misrepresentation occurs. Additionally, if a
company solicits a blogger to write a post about a product, the company must be extremely careful to ensure that the
2
blogger does not convey false or misleading statements or misrepresentations of a product’s qualities. In the United
States, the Federal Trade Commission (“FTC”) regulates these forms of advertising and states that both the blogger
and spokesperson must clearly and conspicuously disclose their affiliation with the business, including whether or not
they have received any remuneration or a free sample.3
There is an increasing number of social media websites that are designed to be a platform for user-generated ratings.
These sites allow users to rate businesses or other products, provide customer reviews and other content. Such
sites can have a substantial impact on the business outcome for franchisees and franchisors alike. One such
example is BedBugRegistry.com.4 This website is a platform that allows users to post sightings of bedbugs at
apartments and hotels. A negative rating on this site can correspondingly negatively impact a hotel franchise owner.
Further, a bedbug sighting report for one hotel may result in negative brand echoes across the franchise brand’s
chain. As sites such as these proliferate, some businesses that have been negatively rated have attempted to take
5
legal action against ratings sites in an attempt to shut them down. Other business have, in the past, attempted to
manipulate user reviews of products or businesses by engaging in a process known as “astroturfing. Astroturfing is a
process wherein a company will encourage its employees or outside contractor to post positive comments and
6
reviews online to promote a business. This has resulted in at least one lawsuit filed in the United States (by the New
1
Anderson, Corby and Carol Anne Been, “Protecting the Franchise Brand in the Age of Social Media”, p.3 American Bar
Association 33rd Annual Forum on Franchising. October 13 - 15, 2010
2
Ibid at 6.
3
Ibid.
4
Bed Bug Registry - Check Apartments and Hotels Across North America. Web. 16 Feb. 2011. <http://bedbugregistry.com/>.
5
Metz, Rachel. "Businesses Sue Yelp over Manipulated Reviews." MSNBC.com. 19 Mar. 2010. Web. 16 Feb. 2011.
<http://www.msnbc.msn.com/id/35950761/ns/technology_and_science-wireless/>.
6
Sherman, Michelle. "'Astroturfing' With Fake Reviews Exposes A Company to Legal Risk : Social Media Law Update." Social
Media Law Update : Intellectual Property, Advertising and Video Game Law: Sheppard Mullin Lawyers & Attorneys. 10 Sept. 2010.
Web. 16 Feb. 2011. <http://www.socialmedialawupdate.com/2010/09/articles/advertising/astroturfing-with-fake-reviews-exposes-acompany-to-legal-risk/>.
York State Attorney General’s office).7
Thus, a business that ventures into social media may expose itself to liability if it does not clearly communicate any
ties between the communicator and the business, if the information being disseminated is false or misleading, or if
the company attempts to manipulate user reviews by falsely posting positive messages about itself. A franchisor
must be cognizant of these issues before deciding whether or not to engage with its customer base through social
media.
Controlling Your Brand Identity
In consideration of the foregoing it is imperative that a business protect its online brand identity. Even with restrictions
on the methods of online advertising, the internet and social media has proven to be a valuable resource in the
modern business environment. There are numerous stories of brands and franchises successfully promoting their
business via online marketing and social media. In most cases, any large promotional campaigns designed to
harness social media must be launched at the corporate level and not on an individual franchisee basis. Franchisors
ought to be careful not to allow individual franchisees to launch such campaigns without prior approval or the
company may run the risk of diluting brand identity or even attracting liability. The campaign itself may attract liability,
if the campaign encourages users to submit content that makes false or defamatory statements against a competitor.
If a company solicits content from users, it must be careful to screen the contents to ensure that such submissions
comply with other applicable laws and do not include prohibited content including violence, pornography, or hate
speech.
On social media sites, companies must also be aware of the need to secure their brand identity. “Cybersquatting”
has often been an issue for companies as a rival or other individual registers domain names that may prove to be
confusing to consumers. In some cases a squatter may register a brand name on another top-level domain. For
example, while the business operates at “businessname.com”, a squatter may have previously registered
“businessname.ca” or “businessname.org”, which may confuse customers and lure them to an unaffiliated site. In
British Columbia, case law has developed that indicates that this type of squatting may be challenged under the tort
of “passing off”. In the Law Society of British Columbia v. Canada Domain Name Exchange Corp., the BC Law
Society succeeded in an action brought against a company that had registered domain names extremely similar to
those registered by the Law Society. These squatted domain names redirected visitors to sites containing materials
such as pornography, which the court found would trade on the Law Society’s goodwill and would likely generate
confusion amongst visitors.8
Another common practice is for a squatter to register a domain name that is a common typo of a brand. This
practice, known as “typosquatting”, is an attempt to use a brand identity to lure customers away to another site.
While in some cases the unaffiliated site may be harmless, in others the site that attempts to infect the users
computer system or attempts to phish for information from a prospective customer. Businesses must be careful to
monitor for such attempts, as this could have a negative impact on the brand identity of the company. While there is
no direct legal obligation on a company to police for squatted domains, it is a wise business decision because of the
impact it is likely to have on the brand itself. Fortunately for businesses, there is an established process in place in
order to contest a squatted domain. A company should register its complaint with the Internet Corporation For
Assigned Names and Numbers (“ICANN”), and pursue a complaint through the Uniform Domain-Name DisputeResolution Policy (often referred to as the "UDRP"), which has the power to reassign control of domain names.
Franchisors and franchisees alike should note that, according to Anderson and Been, these dispute procedures are
not applicable to name-squatting in social media. If, for example, a rival company or an individual user has registered
your brand name on the social media site, the business is forced to rely on the site’s terms of service and any dispute
9
resolution mechanism in place. While some social media sites, such as Twitter and Facebook have established
procedures, other sites may not. It is necessary for a business to be aware of the terms and conditions of individual
social media sites before contesting a social media squatting situation. The alternative is for the business to initiate
trademark infringement litigation against the registrant. Defending trademarks is a necessary part of business, but the
7
Supra note 1 at 8.
8
Law Society of British Columbia v. Canada Domain name Exchange Corp., (2002), 22. C.P.R. (4th) 88 (B.C.S.C.)
9
Supra note 1 at 42.
costs of such litigation is high. Business should be aware of the financial impact such litigation may have before
proceeding.
A less common but still growing method of indirect brand hijacking is through the use of sponsored search results
such as Google Adwords. In these cases, when a user searches for a brand or specific term (e.g. if a user searches
for McDonalds) then the sponsored ad on the side of the search results is for a rival or unaffiliated company. At the
time of writing, a Google search for the term “McDonalds” returns the following ad:
Figure 1
This third-party job site has purchased an ad-space on a major search engine, so that customers will see the ad
when searching for an established consumer brand. In essence, this company is trading on McDonald’s brand
identity. This example may seem harmless, but this type of indirect brand hijacking is commonplace on the web.
Users who end up clicking on a sponsored link such as this could be redirected to a site that may present unflattering
information about a brand or may be taken to an unrelated site altogether. It should be noted that there is case law in
the United States which found that purchasing keywords relating to other brands may not be infringement if the
purchase accurately describes the product. In the case of Tiffany, the Tiffany jewellery company sued eBay for
purchasing search terms that returned an ad for eBay each time a user searched for Tiffany. The court found that
eBay had not infringed on the Tiffany trademark because the advertisement accurately described that Tiffany
10
products were available for sale on eBay. While this is not likely a concern for most franchise systems, one must be
cognizant of the fact that some indirect brand hijacking may be permissible and therefore even trademark litigation
may not succeed at preventing the practice.
Virtual Worlds
Use of a franchisor’s trademarks in a virtual environment is also an established problem for businesses. While not as
prevalent as once predicted, virtual worlds such as Second Life still maintain an established online presence. In this
virtual world, users are able to create digital characters that are able to interact with other users in a digital space.
Within this environment, users are able to access digital creations or recreations of physical and geographical
locations and buildings. To capitalize on this, some major brands have established a legitimate online presence in
Second Life,11 but as of the time of writing many others had not. In a 2007 article, the Reuters dedicated Second Life
Bureau (as it then was) noted that:
Benjamin Duranske, founder of the Second Life Bar Association and a real life lawyer, estimated
there was trademark infringement in at least 1 percent of Second Life transactions — about 1.4
million per year. He noted on his blog, Virtually Blind, that a classifieds search for “Gucci” generates
106 hits, while “Vuitton” gets 39 and “Nike” gets the most at 186 hits. None of these companies have
12
endorsed the virtual products.
As it stands currently, there is no guaranteed method to prevent individuals from infringing on trademarks in this
virtual environment. Beyond counterfeit consumer products, there may be more extensive and elaborate virtual brand
10
The case law in question is Tiffany (NJ), Inc. v. eBay, Inc., 600 F.3d 93, 102 (2 Cir. 2010).
11
Supra note 1 at 40.
12
nd
Reuters, Rubina. "Protecting Real Brand Names in a Virtual World." Reuters/Second Life. 29 May 2007. Web. 16 Feb. 2011.
<http://secondlife.reuters.com/stories/2007/05/29/protecting-real-brand-names-in-a-virtual-world/>.
infringement that occurs. A brand-squatter may purchase a plot of land in the virtual world in order to erect a building.
That building could be in the décor and style of a known franchise system. It may even display the logo or other
trademarks. However, the purchaser may not have a license to use those trademarks and may in fact intend that the
online franchise delivers a less than satisfactory user experience. To combat this threat the trademark owner may file
a compliant to the site owner and rely on the terms of service or attempt to resort to litigation.
Group Buying Sites and Online Coupons
The days of the printed coupon are numbered. While many remember an age where people would physically clip
coupons to save money on purchases, or where customers would wait for a particular franchise chain to run a
promotion, these processes are becoming antiquated. A number of online-coupon sites or deal-based sites have
prospered over the last few years13 and although the business impact is still being measured it is clear that consumer
attitude has already shifted.
The largest and most successful of these group buying sites is Groupon.com. This site, which has a presence across
North America, permits retailers to apply to participate in their program. A business applies to participate and, if
selected, agrees to a set of terms with Groupon. The vendor or business agrees to offer a particular product or
services with a large discount (typically between 50-90% off regular price), and sets a minimum number of purchases
that must occur before the deal becomes “active”. What this means is that a set number of users must visit the
Groupon website and purchase vouchers to redeem the offer. If not enough purchases occur, the deal is not active
and money is refunded to the purchasers. If the number of purchases exceeds the minimum, then the deal becomes
active for all of the purchasers who have opted to purchase. According to Groupon, “Unlike most other promotional
vehicles, you pay nothing up front to appear on Groupon. We are only successful if you are successful. Groupon
collects all the money from participants up-front and within a few days we’ll send you a check based on campaign
14
participation. And the sale only happens if enough people join to make it worthwhile.”
This is very attractive to business owners as a method of reaching a broad customer base. Groupon itself provides an
analysis of their customer demographic. According to Groupon, users tend to be young, educated, female, and
single.15 This permits a franchise to target a specific demographic with relative ease, though it not without other risks.
On a business level, the deal can prove risky to small businesses and individual franchisees. Rice University in the
United States recently conducted a study of businesses who have participated in Groupon promotions in an attempt
to gauge the effectiveness and profitability of such an endeavour. 16 According to this study, “Restaurants appear
particularly susceptible to these negative outcomes: 42% of the restaurants in our study (20 of 48) reported
unprofitable Groupon promotions. One restaurant owner observed that “Most of the Grouponers were what we call
‘deal-seekers’; they felt entitled to special treatment, didn’t spend more than what the Groupon itself cost, they didn’t
tip, and most won’t be repeat customers.”17 Thus, as a franchisor in the restaurant business, it is particularly
concerning to participate in promotions of this sort. Despite its growing popularity, group-buying coupon sites are
relatively young. Most have only been open for less than three years, and as such the long-term impact of this as a
marketing initiative is unclear.
An additional concern is the level of compensation that Groupon will take as payment for participating in the offer.
While Groupon does not accept money up-front for a listing, a portion of the sales conducted through their website
are received as payment for providing the service to the business. While the specific terms are unclear, a small
business who had recently participated in a Groupon offer has claimed that “when the consumer pays less than $10,
13
E.g. Redflagdeals.com and Slickdeals.net.
promotional offers from various retailers.
14
These sites focus on aggregating user-submitted content regarding deals and
"Groupon Works." Groupon.com. Web. 16 Feb. 2011. <http://www.groupon.com/groupon-works>.
15
“Have You Met Our Subscribers Yet?" GrouponWorks. Web. 16 Feb. 2011. <http://www.grouponworks.com/whygroupon/demographics>.
16
Dholakia, Utpal M., How Effective are Groupon Promotions for Businesses? (September 28, 2010). Available at SSRN:
http://ssrn.com/abstract=1696327
17
Ibid. at 5.
Groupon usually takes 100% of the money.”18 While no opinion is given as to the accuracy of the statement, we
understand that businesses who offer coupons through location-based social networking will have to provide financial
remuneration to the social network in order to participate. This appears to represent a particularly expensive form of
advertising which might be more attractive to smaller franchise systems that don’t already advertise in other forms of
media.
Furthermore, the primary legal concerns over participating in such a transaction are the binding terms of service
between Groupon and the merchant, as well as applicable local legislation. The terms of the Groupon voucher ensure
that the customer has a long period of time in which to redeem the purchased voucher, which makes forward-looking
business planning difficult. In some cases, this redeeming period may be up to a year. Intellectual property issues
could arise with regard to Groupon using company trademarks in promoting the offer. To ameliorate this concern the
terms of service between Groupon and the end customer make special note that “Everything located on or in this
Site, including the Microsites, is the exclusive property of Groupon, Inc. or used with express permission of the
copyright and/or trademark owner.”19 Thus, a business owner must be careful to ensure that the proper license
agreement is arranged with Groupon, or that an appropriate level of editorial control is exercised over the use of the
trademarks.
Location-Based Rewards
Location-based social networking is one of the largest up-and-coming technological trends and one that has already
had an immediate effect on franchise business transactions. The largest and most successful location-based social
network is Foursquare, a cross-platform application that works on most smartphone operating systems.
Foursquare allows a user to “check-in” at various establishments and locations and share this information with their
network. While at first this was considered a novelty, Starbucks proved to be an early adopter of this technology for
use in promoting its business. In 2010, Starbucks teamed up with Foursquare to provide coupons to those individuals
who check-in the most times at a particular store. In Foursquare nomenclature, this is known as becoming the
20
“mayor” of a location. Becoming the mayor of a Starbucks store unlocks a $1 discount on a coffee drink at that
location, redeemable by presenting your smartphone to your server with the mayor “badge” displayed onscreen.
Facebook has recently adopted this same approach by launching its Facebook Deals platform.21 Facebook had
previously launched Facebook Places, a location-based application to share your geographic location with your
friends on the Facebook website. Facebook Deals uses this same technology to offer location-based coupons to its
users. Users access the Facebook mobile site on their smartphone and check-in to register their location. Upon doing
so, they are presented with a list of nearby retailers and the coupons or offers they are currently running. The
Facebook Blog describes the offers by stating the “deals come from merchants, not Facebook, so check with your
local stores for additional details, such as when they're running, how many of the offers are available, and whether a
deal is just for you or also for your friends. You'll see a few different types of Deals: individual deals for a discount,
free merchandise or other reward; friend deals where you and your friends claim an offer together; loyalty deals for
being a frequent visitor to a place; and charity deals where businesses pledge to donate to a cause when you check
22
in.”
The recent introduction of this Facebook platform means that its market penetration is unproven. It should merely
serve as evidence that location-based rewards appear to be a growing segment of the coupon-market and one that is
likely to have some effect on the business of a franchise system.
18
"Groupon in Retrospect." Posie's Cafe. 11 Sept. 2010. Web. 16 Feb. 2011. <http://posiescafe.com/wp/?p=316>.
19
"Terms." Groupon.com. Web. 16 Feb. 2011. <http://www.groupon.com/terms#tos>.
20
Van Grove, Jennifer. "Mayors of Starbucks Now Get Discounts Nationwide with Foursquare." Mashable. 17 May 2010. Web. 16
Feb. 2011. <http://mashable.com/2010/05/17/starbucks-foursquare-mayor-specials/#>.
21
Fougner, Jon. "Introducing Deals." Facebook. 31 Jan. 2011. Web. 16 Feb. 2011.
<http://www.facebook.com/blog.php?post=446183422130>.
22
Ibid.
Concerns for the Franchisor
Of particular concern to the franchisor is controlling the use of the brand name in the market place. While most
franchise agreements provide that the franchisor will not prevent the franchisee from selling products at prices that
are lower than the suggested price, most franchise agreements will provide that the franchisee cannot engage in any
advertising or promotion without the prior review and consent of the franchisor. Interestingly, there are recent
examples of quick service franchisees of a major Canadian brand offering heavily discounted deals through Groupon
in January, 2011.23 The offer is only available at these two set locations.
On the other hand, in some instances the promotions may be generated by franchisors wishing to take advantage of
these developing social media trends. Most franchise agreements require franchisees to participate in all promotions
adopted by the franchisor for the franchise system, however franchisees frequently have different levels of
acceptance of new technology and therefore system-wide franchisee buy-in may be difficult to achieve.
Offering coupons or deals through any of the aforementioned services does not exempt a business from complying
with applicable local legislation. For example, the Groupon terms of service state that “While the expiration date on
the Voucher dictates the last date that you can use your Voucher at Merchant for the promotional offer stated on the
Groupon, applicable law may provide that the Merchant is responsible for honoring the cash value that you paid for
your Voucher for a period of time beyond the expiration date stated on the Voucher.”24 It is important that a
prospective participant consult the applicable local legislation in order to determine any ongoing obligations that may
result from said offers.
Mobile E-commerce
While many franchisors are well-versed in the concept of e-commerce and related legal considerations, there is now
a push to develop mobile retail technology solutions. This corresponds with the increased penetration of smartphones
into the North American market. Whether or not this mobile retail technology takes the form of on-phone browsing, or
occurs through the use of an application (dedicated or third-party), this presents a new and growing channel on which
to focus. In evidence of this trend, a survey conducted by the Aberdeen Group found that 30% of respondents are
25
planning on adopting a mobile initiative this year.
If a franchisor is interested in online ordering or other online offerings (such as franchise locator functions) they must
determine whether to offer this service via their own website or through an application. By ensuring their online
ordering system is compatible with the mobile browsers of major smartphone operating systems, a franchisor is able
to take advantage of a small but growing segment of the market. Utilizing this approach ensures that the franchisor
need only ensure that whatever service is offered need only comply with their own internal terms of service and use.
However, if a franchisor (or a franchisee, if permitted) chooses to offer an application or permit the use of their service
via a third party application, the franchisor/franchisee must then ensure that the application complies with the terms of
service and/or use of the applicable application store. For example, if a business offers an application through the
iTunes App Store, then the application must comply with all the terms and conditions set between iTunes and the
developer.
Stand-alone applications for use on smartphones or other mobile technology can either be dedicated applications
released by the business itself (either developed internally or via contract) or may be a third-party application. For
example, a search on the iTunes App Store for “Pizza Hut” returns the results in Figure 2.
23
"Harvey's Deal of the Day | Groupon St Catharines-Niagara."
<http://www.groupon.com/stcatharines-niagara/deals/harvey-s-niagara-falls>.
24
25
The
Daily
Groupon.
Web.
16
Feb.
2011.
Supra note 19.
Anand, Sahir. "Mobile-Social, Integrated Retail and More: The Top Ten Technologies at NRF 2011." Aberdeen Group. 24 Jan.
2010. Web. 16 Feb. 2011. <http://www.aberdeen.com/Aberdeen-Library/7037/AI-mobile-social-retail.aspx>.
Figure 2
The results returned by this search are mostly third-party applications that purport to either help a customer locate a
nearby location, or to help the customer actually order the product. This is a clear example of a need to protect the
franchise systems intellectual property in order to maintain and protect the brand experience. It is unclear if the brand
owner in question has signed full and complete license agreements with each of the application developers above to
permit the use of trademarks such as the name “Pizza Hut”, but such license is unlikely given the breadth of
applications.
From a business perspective, if a third-party app openly uses the name of the franchise system but does not function
properly or delivers a poor customer experience, it could lead to negative brand association. Therefore, a brand
owner should be careful to ensure that none of the applications above mislead the customer in any manner, even as
simply as inaccurately guiding the customer to a business location. While this is not the fault of the franchisor in
particular, it is a situation where the end result matters more than who exactly was at fault.
Websites and Intellectual Property
Internet Sites
In an age where websites are ubiquitous, one of the biggest considerations a franchisor has to make is whether or
not to permit a franchise to operate its own website or to rely on the main corporate page. This decision has
tremendous implications in terms of maintaining the desired brand image, potential customer confusion (caused by
multiple sites under the same banner) and trade mark usage. In terms of the franchisor’s ability to prevent
franchisees from establishing their own sites, many (older) franchise agreements will not deal with the issue
specifically, however the franchisor may rely on the limited scope of the trade mark license granted under the
franchise agreement to prevent to the use of the company’s trade marks on a franchisee’s site.
Franchisors should establish a coordinated strategy to the brand’s internet presence and provide for franchisor
control in the franchise agreement. Permitting an uncontrolled web presence by local franchisees is unadvisable and
may have a negative impact on a brand identity.
Intranet Sites
Large franchisors are increasingly utilizing intranet sites to network all of their existing corporate and franchised
locations and permit franchisee dialogue. While physical conferences are still an important part of franchise initiatives,
much of the day to day information is easily disseminated via technology. Document sharing services permit onlinehosting of documentation, including manuals, handbooks and forms. This ensures that each franchisee is up-to-date
with regards to franchisor initiatives and mandates, and permits a franchisor to more efficiently maintain a level of
compliance with updated policies. Intranets also permit a franchisor to offer training courses via video or other
methods, which is particularly useful in reaching franchisees in more remote locations and encouraging more efficient
training. They can also serve as a reservoir of up-to-date local advertising content and materials for franchisees. A
franchisor should note that there are concerns over the security of such online data stores and must take care to
prevent unauthorized access that may compromise confidential information or trade secrets.
Data Security
Data security is a growing concern for all businesses, as technology continues to develop around processing
transactions. Securing the franchise system’s data is a major concern both in terms of protecting the brand’s
reputation as well as from a direct liability perspective. If data is compromised, not only is there a risk of exposing the
franchise system’s customer base to fraudulent transactions, but there is likely to be a significant impact on the
systems ability to promote e-commerce transactions in the future. While this may appear to be a particular concern
to franchise systems with an emphasis on online transactions, merely exposing personal information of customers or
employees may be enough to make a business liable under applicable privacy legislation. Under the Personal
26
Information Protection and Electronic Documents Act personal information must be protected by security
safeguards that are appropriate to the sensitivity of the information collected. Further, most corporate websites
include a privacy policy specifying what customer information will be retained and for what purpose. A failure to
protect the privacy information in accordance with the terms of the privacy policy may have additional legal
implications if considered to be a breach of obligations based on applicable legislation.
PCI Security Standards Council
The PCI Security Standards Council (the “Council”) was founded by five of the major global payment brands,
including MasterCard, American Express, and Visa, as a method of setting standard technical requirements for all
merchants that use their services.27 The Council sets data security standards (“DSS”) that are then imposed on all
merchants who wish to use these payment services. Merchants have a specified length of time in which to initially
become compliant with the protocols. Currently DSS has migrated to version 2 and merchants are in the process of
verifying compliance. Each iteration of the DSS protocols typically proceeds on a three year cycle. This gives the
participating merchants one year to implement the new standards, one year of compliance, and an additional year to
28
transition.
PCI compliance
There are a number of requirements that a company must meet in order to be considered compliant with PCI DSS
protocols. The requirements can be broadly broken down into several categories: securing the network, protecting
cardholder data, maintaining a vulnerability management program, implementing access control measures, regular
testing, and maintaining an information security policy.
26
S.C. 2000,c.5.
27
"About Us." Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card
Security Standards. Web. 16 Feb. 2011. <https://www.pcisecuritystandards.org/organization_info/index.php>.
28
PCI Security Standards Council. Pci Security Standards Council Releases Version 2.0 Of The Pci Data Security Standard And
Payment Application Data Security Standard. PCI Securities Standards Council. 28 Oct. 2010. Web. 16 Feb. 2011.
<https://www.pcisecuritystandards.org/pdfs/pr_101028_standards_2.0.pdf>.
The number of requirements that a participating merchant must comply with increases simultaneously with the
complexity of the merchant and the number of payments the merchant processes. There are clear cost implications to
compliance with the increased levels of requirements. At the most basic level, a class “B” merchant has no electronic
payment processing. An example of this would be merchants who take credit card imprints in order to manually
process payments at a later date. These merchants need only comply with 13 requirements. However, a class “D”
merchant that has multiple computers networked to aggregate credit card processing must comply with 226
29
requirements.
The level of a merchant also has an impact on the deadlines in which it must become compliant with the PCI
standards. Level 1 merchants, merchants that process more than 6,000,000 transactions a year, must comply very
quickly. Merchants that process a small number of transactions face a less stringent timeline. Of particular concern to
franchisees is that where the franchise system utilizes a networked approach to payment processing, such as a
situation where the franchisees individually send the data to a central data center and from there the data centre
processes the transaction with the bank, the entire franchise system together may be considered as “the merchant”.
Therefore, while each individual franchises may only process a small number of transactions, and would individually
be subject to a lower set of compliance requirements) the number of aggregate transactions may place them at a
higher merchant level and thus necessitate compliance with a more stringent PCI standard. The cost of compliance
for franchise systems can be significant, which leads to the further issue of how those costs are shared among the
franchisor or franchisees (if not absorbed entirely by the franchisor).
The PCI Security Standards website also includes a list of “approved companies and providers”. While not required,
purchasing processing technology from one of these approved providers is one method to use in ensuring that the
franchise system is in-step with the current DSS protocols. Failure to comply with PCI standards can result in a fine
levied by the individual payment processors or other operational consequences (including increased monitoring and
reporting obligations).
Compliance requires that a merchant reduces the amount of confidential information that it stores at any given time.
In addition, information such as credit card numbers be safely stored in an encrypted format, and data must be
destroyed when feasible. Proper access controls must be administered and secure passwords must be chosen in
order to help secure the digital environment.
Electronic Security and Card Theft
Credit card security is a well known issue for businesses, particularly those with online presences. There are
numerous stories of merchants with online stores having the information they store from transactions compromised
and stolen. With each episode of such data theft, significant liability is attracted to the business. Beyond brute-force
hacking, there are numerous other threats that a business owner must be aware.
A common and growing problem is compromised PIN pads. In retail outlets and franchise locations, thieves steal the
PIN pad directly from the merchant, modify it, and then return it. Any transactions processed through that pad are
then compromised. More sophisticated PIN pads may prevent liability. Such PIN pads, are designed to become
inoperable if opened, preventing the use of compromised technology as the pad will no longer be able to connect to
your POS system. Further, the new chip-and-PIN technology that is being incorporated into debit cards is another
way to foil this process, as the card itself is as yet uncompromised. This chip-and-PIN technology is rolling out across
Canada.
For franchise systems that utilize wireless technology, there is also a risk of “data sniffing”. In these circumstances, a
thief uses sophisticated software to “sniff” wireless signals and attempt to record data transmitted through it. This can
be a risk for businesses that utilize “at table” payment options, wherein the PIN pad and/or credit card reader is
brought to the table and the customer is able to pay there. This payment option communicates with the main POS
system via wireless signals, and without proper security these signals may be intercepted and thus confidential
information may be stolen.
29
"Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire - Instructions and Guide." PCI Security
Standards Council. Oct. 2010. Web. 16 Feb. 2011.
<https://www.pcisecuritystandards.org/documents/pci_dss_saq_instr_guide_v2.0.pdf>.
A well known case study of data sniffing is the TJX Case (TJX is the parent company of Winners), an incident that
was investigated by the Privacy Commissioner of Canada in 2007. The report of the Privacy Commissioner states
that:
It’s believed that thieves armed with an antenna and a laptop computer and some specialized
software settled in outside a Marshall’s in Miami and broke into the store’s poorly protected wireless
local area networks.
Once inside, they tapped their way into computer servers that process and store customer
information from transactions for hundreds of stores owned by discount retail giant TJX, including
Winners and HomeSense stores in Canada.
For the next year and a half, the thieves plundered the TJX computer system.
They ultimately gained access to at least 94 million credit and debit cards as well as the names,
addresses and driver’s licence numbers of people who had returned merchandise at TJX stores.30
In this particular case, the Privacy Commissioner found that “TJX was aware of the concerns about its encryption
protocol and was in the process of converting to a stronger technology at the time of the breach. In our view, the
conversion was not done within a reasonable period of time.”31 Thus, even though the business was in the process
of securing its networks, this was not sufficient to prevent fault from being found.
Wireless networks have become commonplace in many franchise systems. As franchisees become increasingly
coordinated via network connections, a breach at one location could have an impact on other locations where data
security did meet minimum standards and, without adequate security, individual franchisees may expose the
franchisor’s internal network to breach. This places an obligation on the franchisor to ensure that all franchisees
meet minimum data security standards. It is recommended that all franchisors develop proper data security policies to
roll-out across the franchise system. Particularly as franchise systems become increasingly networked and move
towards a “cloud computing” technology, one weak link within the system may be enough to compromise several
others.
Sale of a Franchise
Technology appears to be increasingly impacting the sale of franchises themselves. Although technology enabling
the use of online portals to connect prospective franchisees with franchisors is not particularly new, there appears to
be an increasing acceptance of the use of this technology by prospective franchisees. For franchisors, portals can
raise a concern over trademark rights. A portal may use the brand’s logo or other trademarks to list franchise
opportunities under the brand’s brand name. To a prospective franchise owner, the use of the franchisor’s trademark
may imply a tacit endorsement of the portal by the franchisor. Franchisors must be particularly cognizant of the risks
involved in allowing third-parties to display their trademarks. They must ensure that a proper license agreement has
been signed and monitor and maintain necessary levels of control over the use of their intellectual property.
Conclusion
The speed at which novel, creative applications for electronic media are being introduced is staggering. New issues
will undoubtedly emerge as applications evolve. On the other hand, some of the issues raised by the current use of
technology, including intellectual property rights, brand image and security issues, are likely to endure even as
technology changes. Technology is often a double-edged sword and the unique nature of franchise systems will
continue to add a further layer of complexity in exploiting new technology and handling the corresponding issues.
Used effectively, technology can efficiently promote a business and increase the value of any marketing budget. But
without careful preparation and monitoring, it may just as easily damage a brand or create conflict within the franchise
system.
30
Commissioner of Canada, Privacy. Annual Report to Parliament
<http://www.priv.gc.ca/information/ar/200708/2007_pipeda_e.pdf>. p.21.
31
Ibid.
2007.
Rep.
2007.
Web.
16
Feb.
2011.