What is the Fitstop franchisee's responsibility regarding PCI compliance?
Fitstop Franchise · 2024 FDDAnswer from 2024 FDD Document
If not part of the POS system, at your cost and expense, you must investigate and ensure that you comply with all payment card industry ("PCI") and data security standard ("DSS") standards, regulations, and requirements. You must meet the requirements of, and comply with enhancements and changes to, the PCI and DSS and maintain PCI compliance with the current version of the PCI and DSS. You are responsible for using all required tools, systems, and vendors to complete ongoing PCI requirements including quarterly external security scans and annual self-assessment questionnaires. You are solely responsible for all costs relating to PCI compliance and data security issues, such as security threats, breaches, and malware. It is your responsibility to alert us, not later than 24 hours following a suspected or confirmed data security breach, so that appropriate action can be taken to protect customer data and notify relevant parties. You are not permitted to collect, store, transfer, etc. any unnecessary customer information.
We reserve the right to require that you purchase a security system to protect your Franchised Business and provide us with notice once it has been installed. We may require you to install a compliance monitoring system in your location at reference points designated by us. We may also require you to install a compliance monitoring system, which is not a security system but is a management and quality assurance tool. Both you and we will have the right to online access to the compliance monitoring system. By installing the compliance monitoring system, you and your employees are waiving any rights to privacy. You agree to require all your employees to sign a waiver of their right to privacy with respect to the use of any such compliance monitoring system. Please note that while we reserve the right to require this system to be implemented at your Franchised Business in the future, we do not typically require this kind of system as part of our Required Items as of the Issue Date.
Source: Item 11 — FRANCHISOR'S ASSISTANCE, ADVERTISING, COMPUTER SYSTEMS, AND TRAINING (FDD pages 24–35)
What This Means (2024 FDD)
According to Fitstop's 2024 Franchise Disclosure Document, franchisees are responsible for ensuring they comply with all payment card industry (PCI) and data security standard (DSS) regulations if these are not part of the POS system. This includes meeting the requirements of and complying with any changes to PCI and DSS standards, as well as maintaining PCI compliance with the current version of these standards.
Fitstop franchisees must use all required tools, systems, and vendors to fulfill ongoing PCI requirements, such as quarterly external security scans and annual self-assessment questionnaires. They are also solely responsible for all costs related to PCI compliance and data security issues, including security threats, breaches, and malware.
Furthermore, franchisees must alert Fitstop within 24 hours of any suspected or confirmed data security breach. Franchisees are not allowed to collect, store, or transfer any unnecessary customer information. Fitstop also reserves the right to require franchisees to purchase a security system and install a compliance monitoring system at designated reference points, with both the franchisee and Fitstop having online access to this system. Employees may also be required to sign a waiver of their right to privacy with respect to the use of any such compliance monitoring system.