What are the Payment Card Industry Data Security Standards that Auntie Annes franchisees must abide by?
Auntie_Annes Franchise · 2024 FDDAnswer from 2024 FDD Document
We require that you use vendors (and may require you to use one or more Approved Suppliers that we designate) to provide security services that are consistent with the Privacy Requirements.
We currently require you to use a managed firewall, conduct a quarterly network scan, maintain anti-virus/anti-malware software, and use managed Wi-Fi, but we may modify from time to time the specific security measures that you must maintain.
We require that you submit annually proof of your PCI-DSS compliance status, and we may require you to provide evidence of compliance with applicable Privacy Requirements upon our request.
We may require you to use vendors or Approved Suppliers to conduct periodic security audits to ensure that personal data is adequately protected.
We may require you to provide, or make available, to us copies of any audits, scanning results, or related documentation relating to such compliance or audits.
We may charge a reasonable fee for us to review your systems and verify your compliance with these requirements.
If you suspect or know of a security breach, you must immediately give us notice of such security breach and promptly identify and remediate the source of any compromise or security breach at your expense.
You assume all responsibility for providing all notices of breach or compromise and all duties to monitor credit histories and transactions concerning customers of the Franchised Business.
- 12.3 Data Breach Notification.
If you learn of an incident that may be a "breach of the security of the system" under Cal.
Civ.
Code § 1798.82 or any other data breach notification Law, you must immediately notify us of the facts that are known about the incident (a "Data Breach").
Although you are responsible for complying with all data breach notification Laws and standards applicable to your organization, we expect that you will coordinate with us regarding such incidents where notification to individuals is required before individuals are notified so that we can be aware of and be prepared to address issues that may affect the System and be in a position to support you where possible.
In the event of an actual or suspected Data Breach, you grant us and our designees and agents the right, exercisable in our sole and absolute discretion, to conduct an investigation of the incident and to install, run, and maintain any hardware, software, or code on your Computer System or in your computer network necessary or advisable to facilitate the investigation and to contain and remediate the incident, and you agree to cooperate with us and to provide us with any access and information we may reasonably request for those purposes.
Source: Item 22 — CONTRACTS (FDD page 106)
What This Means (2024 FDD)
According to Auntie Anne's 2024 Franchise Disclosure Document, franchisees must adhere to specific Payment Card Industry Data Security Standards (PCI-DSS). Auntie Anne's requires franchisees to use vendors for security services that align with privacy requirements, and may require the use of designated Approved Suppliers.
Currently, Auntie Anne's mandates the use of a managed firewall, quarterly network scans, anti-virus/anti-malware software, and managed Wi-Fi. However, Auntie Anne's retains the right to modify these specific security measures over time. Franchisees must submit annual proof of their PCI-DSS compliance status and provide evidence of compliance with applicable Privacy Requirements upon request. Auntie Anne's may also require franchisees to use vendors or Approved Suppliers to conduct periodic security audits to ensure adequate protection of personal data.
Furthermore, Auntie Anne's reserves the right to review a franchisee's systems and verify compliance with these requirements, potentially charging a reasonable fee for such reviews. Franchisees are obligated to immediately report any suspected or known security breaches and promptly address the source of the breach at their own expense. They also assume full responsibility for providing breach notifications and monitoring credit histories and transactions of customers. In the event of a data breach, franchisees must grant Auntie Anne's the right to investigate the incident and implement necessary measures to contain and remediate it.