What data security standards must a Circle K purchaser comply with throughout the term of the agreement?
Circle_K Franchise · 2025 FDDAnswer from 2025 FDD Document
Data Security and Privacy Requirements.
Throughout the term of this Agreement, Purchaser shall comply with the payment card industry ("PCI") data security standards, as
established from time to time by the Payment Card Industry Security Standards Council or another industry-recognized regulatory agency or organization, all legal requirements regarding data security and privacy and any data security and privacy requirements imposed from time to time by TMC or its affiliates. Without limiting the foregoing, Purchaser agrees to meet PCI requirements for storing, accessing and transmitting cardholder data, and agrees to fully participate at TMC's request in any PCI data security standard compliance audits conducted by or on behalf of TMC or its affiliate. Additionally, Purchaser agrees to not install or connect any non-TMC approved computer systems or services, including but not limited to wireless systems and internet access, onto TMC Network, without the prior written approval of TMC.
Purchaser is solely responsible and liable for cardholder data in Purchaser's possession and/or control, whether in paper or electronic form. Purchaser must notify TMC immediately of any known or suspected information security compromise, specifically, but not limited to, one that may impact cardholder data. Purchaser shall fully cooperate with and provide access to a PCI representative, or PCI-approved third party, for purposes of conducting a security review after a data security intrusion or breach has been detected. Purchaser will pay, and will indemnify, defend and hold harmless TMC and its affiliates from and against any and all fines, penalties, expenses, liabilities, losses, claims, damages and costs (including costs of data breach notification) associated with any data security breach caused by or arising out of Purchaser's failure to secure cardholder data or to maintain full compliance with PCI standards and the terms of this Agreement.
- Records. Purchaser will maintain, and TMC or its designee will have the right to examine, all records, reports and other forms that TMC may request relating to Purchaser's participation in any Credit Card Program. Without limiting the foregoing, Purchaser shall maintain a record of each sales transaction (including the actual draft generated by the sale) for a period of no less than six (6) months from the date of the transaction.
Source: Item 22 — CONTRACTS (FDD page 100)
What This Means (2025 FDD)
According to Circle K's 2025 Franchise Disclosure Document, as a purchaser, you must adhere to specific data security and privacy requirements throughout the agreement's term. This includes compliance with the payment card industry (PCI) data security standards, which are periodically updated by the Payment Card Industry Security Standards Council or another recognized regulatory body.
In addition to PCI standards, you must also follow all legal requirements related to data security and privacy, as well as any data security and privacy requirements that Circle K or its affiliates may impose. This encompasses meeting PCI standards for storing, accessing, and transmitting cardholder data. Furthermore, you are required to participate fully in any PCI data security standard compliance audits conducted by or on behalf of Circle K or its affiliates. You are prohibited from installing or connecting any non-TMC approved computer systems or services, including wireless systems and internet access, onto the TMC Network without prior written approval from TMC.
You are solely responsible and liable for cardholder data in your possession or control, whether in paper or electronic form, and must immediately notify Circle K of any known or suspected information security compromise that may impact cardholder data. You must also cooperate with and provide access to a PCI representative or PCI-approved third party for security reviews after a data security intrusion or breach.
Ultimately, you are responsible for covering all fines, penalties, expenses, liabilities, losses, claims, damages, and costs, including data breach notification costs, associated with any data security breach caused by your failure to secure cardholder data or maintain compliance with PCI standards and the terms of the agreement. You must also maintain records of all sales transactions for at least six months, and these records are subject to examination by Circle K or its designee.