If not part of the POS system, what must a Fitstop franchisee investigate and ensure?
Fitstop Franchise · 2024 FDDAnswer from 2024 FDD Document
If not part of the POS system, at your cost and expense, you must investigate and ensure that you comply with all payment card industry ("PCI") and data security standard ("DSS") standards, regulations, and requirements. You must meet the requirements of, and comply with enhancements and changes to, the PCI and DSS and maintain PCI compliance with the current version of the PCI and DSS. You are responsible for using all required tools, systems, and vendors to complete ongoing PCI requirements including quarterly external security scans and annual self-assessment questionnaires. You are solely responsible for all costs relating to PCI compliance and data security issues, such as security threats, breaches, and malware. It is your responsibility to alert us, not later than 24 hours following a suspected or confirmed data security breach, so that appropriate action can be taken to protect customer data and notify relevant parties. You are not permitted to collect, store, transfer, etc. any unnecessary customer information.
We reserve the right to require that you purchase a security system to protect your Franchised Business and provide us with notice once it has been installed. We may require you to install a compliance monitoring system in your location at reference points designated by us. We may also require you to install a compliance monitoring system, which is not a security system but is a management and quality assurance tool. Both you and we will have the right to online access to the compliance monitoring system. By installing the compliance monitoring system, you and your employees are waiving any rights to privacy. You agree to require all your employees to sign a waiver of their right to privacy with respect to the use of any such compliance monitoring system. Please note that while we reserve the right to require this system to be implemented at your Franchised Business in the future, we do not typically require this kind of system as part of our Required Items as of the Issue Date.
Source: Item 11 — FRANCHISOR'S ASSISTANCE, ADVERTISING, COMPUTER SYSTEMS, AND TRAINING (FDD pages 24–35)
What This Means (2024 FDD)
According to Fitstop's 2024 Franchise Disclosure Document, if the payment card industry (PCI) and data security standard (DSS) are not part of the POS system, the franchisee must investigate and ensure compliance with all PCI and DSS standards, regulations, and requirements at their own cost. This includes meeting the requirements of, and complying with enhancements and changes to, the PCI and DSS, as well as maintaining PCI compliance with the current version of the PCI and DSS.
To maintain compliance, the franchisee is responsible for using all required tools, systems, and vendors to complete ongoing PCI requirements, including quarterly external security scans and annual self-assessment questionnaires. The franchisee is solely responsible for all costs relating to PCI compliance and data security issues, such as security threats, breaches, and malware.
Furthermore, the franchisee must alert Fitstop no later than 24 hours following a suspected or confirmed data security breach, so that appropriate action can be taken to protect customer data and notify relevant parties. The franchisee is not permitted to collect, store, transfer, etc. any unnecessary customer information. Fitstop also reserves the right to require the franchisee to purchase a security system and install a compliance monitoring system at designated reference points.