What must a Fitstop franchisee do regarding enhancements and changes to the PCI and DSS?
Fitstop Franchise · 2024 FDDAnswer from 2024 FDD Document
If not part of the POS system, at your cost and expense, you must investigate and ensure that you comply with all payment card industry ("PCI") and data security standard ("DSS") standards, regulations, and requirements. You must meet the requirements of, and comply with enhancements and changes to, the PCI and DSS and maintain PCI compliance with the current version of the PCI and DSS. You are responsible for using all required tools, systems, and vendors to complete ongoing PCI requirements including quarterly external security scans and annual self-assessment questionnaires. You are solely responsible for all costs relating to PCI compliance and data security issues, such as security threats, breaches, and malware. It is your responsibility to alert us, not later than 24 hours following a suspected or confirmed data security breach, so that appropriate action can be taken to protect customer data and notify relevant parties. You are not permitted to collect, store, transfer, etc. any unnecessary customer information.
Source: Item 11 — FRANCHISOR'S ASSISTANCE, ADVERTISING, COMPUTER SYSTEMS, AND TRAINING (FDD pages 24–35)
What This Means (2024 FDD)
According to Fitstop's 2024 Franchise Disclosure Document, franchisees are responsible for complying with all payment card industry (PCI) and data security standard (DSS) regulations and requirements. This includes investigating and ensuring compliance at their own cost and expense if it is not part of the POS system.
Fitstop franchisees must meet the requirements of, and comply with any enhancements and changes to, the PCI and DSS, while also maintaining PCI compliance with the current version of these standards. Franchisees are responsible for using all required tools, systems, and vendors to fulfill ongoing PCI requirements, such as quarterly external security scans and annual self-assessment questionnaires.
Furthermore, the franchisee is solely responsible for all costs related to PCI compliance and data security issues, including security threats, breaches, and malware. In the event of a suspected or confirmed data security breach, the franchisee must alert Fitstop no later than 24 hours after the incident. Franchisees are not allowed to collect, store, or transfer any unnecessary customer information.