What are the Payment Card Industry Data Security Standards, or PCI-DSS, that Carvel franchisees must comply with?
Carvel Franchise · 2025 FDDAnswer from 2025 FDD Document
You must abide by: (a) the Payment Card Industry Data Security Standards ("PCI-DSS") enacted by the applicable Card Associations (as they may be modified from time to time or as successor standards are adopted) and all Laws, standards, or any equivalent thereof relating to the collection, use, and security of personal information; (b) the FACTA; (c) all other Laws, standards, or any equivalent thereof applicable to electronic payments that may be published from time to time by payment card companies and applicable to electronic payments; and (d) any privacy policies or data protection and breach response policies we periodically may establish, including those set forth in Section 12.3 (Data Breach Notification) (collectively, "Privacy Requirements").
Source: Item 23 — Receipts (FDD pages 100–353)
What This Means (2025 FDD)
According to Carvel's 2025 Franchise Disclosure Document, franchisees must adhere to the Payment Card Industry Data Security Standards (PCI-DSS) enacted by applicable Card Associations. These standards may be modified over time or replaced by successor standards. In addition to PCI-DSS, franchisees must comply with all laws, standards, or their equivalents related to the collection, use, and security of personal information, including the Fair and Accurate Credit Transactions Act (FACTA). They must also follow any other laws or standards applicable to electronic payments published by payment card companies. Carvel may also establish privacy policies or data protection and breach response policies that franchisees must follow.
Carvel requires franchisees to use specific vendors or approved suppliers to provide security services consistent with privacy requirements. Currently, franchisees must use a managed firewall, conduct quarterly network scans, maintain anti-virus/anti-malware software, and use managed Wi-Fi. However, Carvel may modify these specific security measures. Franchisees must submit annual proof of PCI-DSS compliance and provide evidence of compliance with privacy requirements upon request. Carvel may also require periodic security audits to ensure adequate protection of personal data.
Carvel retains the right to review a franchisee's systems and verify compliance with these requirements, charging a fee not exceeding 110% of their actual costs and expenses. Franchisees are responsible for promptly notifying Carvel of any suspected or known security breaches and for identifying and remediating the source of the breach at their own expense. They also assume full responsibility for providing breach notifications and monitoring credit histories and transactions of customers.
In the event of a data breach, Carvel and its agents have the right to investigate the incident and install necessary hardware, software, or code on the franchisee's computer system to facilitate the investigation and contain the incident. Franchisees must cooperate with Carvel and provide any requested access and information. However, this does not relieve the franchisee of their obligation to comply with applicable laws and regulations concerning data breaches. Franchisees are responsible for any costs or financial losses incurred as a result of a data breach.