Who does a Carls franchisee engage to ensure data security and compliance with P2PE and PCI DSS?
Carls Franchise · 2024 FDDAnswer from 2024 FDD Document
Franchisee shall: (1) use the proprietary software program, system documentation manuals and other proprietary materials now and hereafter required by CJR in connection with the operation of the Franchised Restaurant; (2) if requested by CJR, execute CJR's standard software license or similar agreement; (3) input and maintain in Franchisee's computer such data and information as CJR prescribes in the OPM, software programs, documentation or otherwise; (4) purchase new or upgraded software programs, system documentation manuals and other proprietary materials at then-current prices whenever adopted system-wide by CJR; (5) comply with Point to Point Credit Encryption Standards ("P2PE") and Payment Card Industry Data Security Standard ("PCI DSS") at all times, and if necessary to maintain such compliance, upgrade its technology, at Franchisee's expense; and (6) engage any vendor that CJR designates to ensure the security of Franchisee's data and compliance with P2PE and PCI DSS. Franchisee must maintain continuous PCI compliance and attest annually by providing a completed and signed PCI Attestation of Compliance (AOC) to CJR.
Source: Item 22 — CONTRACTS (FDD page 80)
What This Means (2024 FDD)
According to the 2024 Carls FDD, a franchisee must engage any vendor that Carls designates to ensure the security of the franchisee's data and compliance with Point to Point Credit Encryption Standards (P2PE) and Payment Card Industry Data Security Standard (PCI DSS). The franchisee bears the expense of upgrading technology to maintain this compliance.
Carls requires franchisees to maintain continuous PCI compliance and to attest to this annually by providing a completed and signed PCI Attestation of Compliance (AOC) to Carls. This requirement ensures that all franchise locations adhere to the necessary data security protocols to protect consumer information.
This stipulation is important for prospective franchisees as it highlights the mandatory use of Carls-approved vendors for data security. This ensures uniformity and potentially leverages the franchisor's negotiated rates or expertise. However, it also means franchisees have limited choice in selecting their own vendors and must budget for these ongoing technology upgrades and compliance attestations.