Is a Fitstop franchisee required to comply with PCI and DSS standards?
Fitstop Franchise · 2024 FDDAnswer from 2024 FDD Document
If not part of the POS system, at your cost and expense, you must investigate and ensure that you comply with all payment card industry ("PCI") and data security standard ("DSS") standards, regulations, and requirements. You must meet the requirements of, and comply with enhancements and changes to, the PCI and DSS and maintain PCI compliance with the current version of the PCI and DSS. You are responsible for using all required tools, systems, and vendors to complete ongoing PCI requirements including quarterly external security scans and annual self-assessment questionnaires. You are solely responsible for all costs relating to PCI compliance and data security issues, such as security threats, breaches, and malware. It is your responsibility to alert us, not later than 24 hours following a suspected or confirmed data security breach, so that appropriate action can be taken to protect customer data and notify relevant parties. You are not permitted to collect, store, transfer, etc. any unnecessary customer information.
We reserve the right to require that you purchase a security system to protect your Franchised Business and provide us with notice once it has been installed. We may require you to install a compliance monitoring system in your location at reference points designated by us. We may also require you to install a compliance monitoring system, which is not a security system but is a management and quality assurance tool. Both you and we will have the right to online access to the compliance monitoring system. By installing the compliance monitoring system, you and your employees are waiving any rights to privacy. You agree to require all your employees to sign a waiver of their right to privacy with respect to the use of any such compliance monitoring system. Please note that while we reserve the right to require this system to be implemented at your Franchised Business in the future, we do not typically require this kind of system as part of our Required Items as of the Issue Date.
Source: Item 11 — FRANCHISOR'S ASSISTANCE, ADVERTISING, COMPUTER SYSTEMS, AND TRAINING (FDD pages 24–35)
What This Means (2024 FDD)
According to Fitstop's 2024 Franchise Disclosure Document, if the POS system does not handle PCI and DSS standards, the franchisee is responsible for ensuring compliance with all payment card industry (PCI) and data security standard (DSS) regulations. This includes meeting all requirements and changes to PCI and DSS standards and maintaining PCI compliance with the current version.
To maintain compliance, Fitstop franchisees must use all required tools, systems, and vendors, which includes completing quarterly external security scans and annual self-assessment questionnaires. The franchisee is solely responsible for all costs related to PCI compliance and data security issues, such as security threats, breaches, and malware.
Furthermore, Fitstop requires franchisees to alert them no later than 24 hours following any suspected or confirmed data security breach. This allows Fitstop to take appropriate action to protect customer data and notify relevant parties. Franchisees are not allowed to collect, store, or transfer any unnecessary customer information.
Fitstop also retains the right to require franchisees to purchase a security system to protect their Franchised Business and to install a compliance monitoring system at designated reference points. Both the franchisee and Fitstop will have online access to this monitoring system, and employees will be required to sign a waiver of their right to privacy with respect to its use.