Whipping out that credit or debit card at your local fast-food restaurant may be convenient, but it has also put the so-called quick-service restaurant (QSR) sector under the Payment Card Industry (PCI) standard microscope.

Just ask Wendy's franchisee Paul Haire, who co-owns seven Wendy's restaurants in the Monroe, La., area. Haire's restaurants were some of the first to accept credit cards. The Wendy's stores had also been rife with email-borne malware that spread from the manager's XP-based workstation in the back office to the XP-based electronic point-of-sale (POS) systems in the front of the stores.

"That would bring the whole system down and step these restaurants back into the 60s, with hand-written orders and checks," he says. "We had a huge issue with viruses."

So Haire outsourced his franchises' Internet and security services to BHI . The Eden Prairie, Minn.-based Internet hosting and managed services security provider for SMBs provides a turnkey service for QSRs like Wendy's. He's been using the MSSP for nearly two years now.

Even as security issues increase for fast-food outlets, small-business franchise owners like Haire are still basically on their own when it comes to IT and security. Like other franchised chains, Wendy's corporate IT department serves more in an advisory role to its restaurant owners, providing recommendations and resources for securing their transaction and financial data.

Haire says he's ultimately responsible for securing his business. "At risk is my cash," he says.

Haire learned of BHI through Wendy's corporate IT, which researches and recommends products and providers to its franchisees. BHI set up an IPSec-based VPN for Haire's seven stores, and provides security monitoring, anti-spam, anti-malware, anti-spyware, content filtering, IDS, firewalling, and reporting services for the stores.

Each store has its own Fortinet Inc. FortiGate-60M box, a VPN gateway that acts as an all-in-one security device, with a firewall, antivirus, anti-spyware, content control, VPN connectivity to Haire's central office, and a dialup modem in case the store's broadband DSL connection is down.

"It's an all-in-one approach. We are taking care of the whole gamut" of security, says Dave Perrill, president of BHI. "In our solution, we lock down the Web traffic to food-ordering and a few back-office things."

But Perrill admits this poses the risk of a single point of failure, especially in the harsh conditions of a QSR, where fires, grease, food, and even theft can damage equipment and compromise security. "[Single point of failure] is a very real risk," he says. "But we obviously have a number of devices on standby, and we can get one shipped out next-day air" if one fails.

Another security challenge is that Haire's Wendy's outlets offer free WiFi to their customers. "When it comes to their customer side, there's little we can do" security-wise, Perrill says. "But we are ensuring their networks aren't exposed as the result of a hotspot."

Wendy's Haire says he doesn't worry about the WiFi service hurting the VPN, since it's separate and secured, he says. He notes that the restaurants do a batch upload of their Wand POS systems in the middle of the night, which eliminates having sensitive data sitting around locally. "And at no time in our organization does anyone have access to a whole credit-card number. What resides here is not even a last name, just the last four digits."

Haire says his biggest vulnerability is an internal one. "Our next step is to routinely have a way for passwords to be randomly generated and updated," he says. His stores already use secure token cards on the POS systems.

And the Fortinet VPN gateways are installed in the back office, where only the manager and assistant managers have access. The stores are also monitored by a digital camera system over the VPN, so Haire can keep an eye on any potential problems remotely, although he visits the stores in person regularly.

SMBs like Wendy's franchise owners are increasingly looking for help in securing their Internet exposure. BHI's Perrill, whose company does business with Wendy's, Boston Market, Skipper's, and other QSRs, says his company generates about 65 percent of its over $3 million in revenue from security services, which also run Fortinet's FortiGate-50, FortiWifi-60AM, and FortiGate-800 series security appliances.

"They are looking for a partner who will implement it for them and give them a piece of mind," he says. "Wendy's is one of the more proactive and progressive organizations."

— Kelly Jackson Higgins, Senior Editor, Dark Reading