What is a Circle K purchaser's responsibility regarding cardholder data in their possession?
Circle_K Franchise · 2025 FDDAnswer from 2025 FDD Document
Purchaser is solely responsible and liable for cardholder data in Purchaser's possession and/or control, whether in paper or electronic form. Purchaser must notify TMC immediately of any known or suspected information security compromise, specifically, but not limited to, one that may impact cardholder data. Purchaser shall fully cooperate with and provide access to a PCI representative, or PCI-approved third party, for purposes of conducting a security review after a data security intrusion or breach has been detected. Purchaser will pay, and will indemnify, defend and hold harmless TMC and its affiliates from and against any and all fines, penalties, expenses, liabilities, losses, claims, damages and costs (including costs of data breach notification) associated with any data security breach caused by or arising out of Purchaser's failure to secure cardholder data or to maintain full compliance with PCI standards and the terms of this Agreement.
Source: Item 22 — CONTRACTS (FDD page 100)
What This Means (2025 FDD)
According to Circle K's 2025 Franchise Disclosure Document, the purchaser, or franchisee, is solely responsible and liable for cardholder data in their possession or control, whether in paper or electronic form. This means that Circle K franchisees must take appropriate measures to protect customer data from unauthorized access, use, or disclosure.
The franchisee must immediately notify TMC, the franchisor, of any known or suspected information security compromise that may impact cardholder data. Furthermore, the franchisee is required to fully cooperate with and provide access to a PCI representative or PCI-approved third party for security reviews after a data security intrusion or breach has been detected. This cooperation is essential for assessing the extent of the breach and implementing corrective actions.
The Circle K franchisee is responsible for covering all costs associated with any data security breach caused by their failure to secure cardholder data or maintain compliance with PCI standards and the terms of the Credit Network Agreement. These costs include fines, penalties, expenses, liabilities, losses, claims, damages, and the costs of data breach notification. The franchisee must also indemnify, defend, and hold harmless TMC and its affiliates from any claims arising from such breaches. This highlights the critical importance of adhering to data security protocols and maintaining vigilance in protecting sensitive customer information.