Who is responsible for the costs related to PCI compliance and data security issues for a Fitstop franchise?
Fitstop Franchise · 2024 FDDAnswer from 2024 FDD Document
If not part of the POS system, at your cost and expense, you must investigate and ensure that you comply with all payment card industry ("PCI") and data security standard ("DSS") standards, regulations, and requirements. You must meet the requirements of, and comply with enhancements and changes to, the PCI and DSS and maintain PCI compliance with the current version of the PCI and DSS. You are responsible for using all required tools, systems, and vendors to complete ongoing PCI requirements including quarterly external security scans and annual self-assessment questionnaires. You are solely responsible for all costs relating to PCI compliance and data security issues, such as security threats, breaches, and malware. It is your responsibility to alert us, not later than 24 hours following a suspected or confirmed data security breach, so that appropriate action can be taken to protect customer data and notify relevant parties. You are not permitted to collect, store, transfer, etc. any unnecessary customer information.
Source: Item 11 — FRANCHISOR'S ASSISTANCE, ADVERTISING, COMPUTER SYSTEMS, AND TRAINING (FDD pages 24–35)
What This Means (2024 FDD)
According to Fitstop's 2024 Franchise Disclosure Document, the franchisee is responsible for all costs relating to PCI (Payment Card Industry) compliance and data security issues. This includes costs associated with security threats, data breaches, and malware.
Fitstop franchisees must investigate and ensure they comply with all PCI and DSS (Data Security Standard) standards, regulations, and requirements, at their own cost and expense, if these are not part of the POS system. Franchisees must also meet the requirements of, and comply with enhancements and changes to, the PCI and DSS, and maintain PCI compliance with the current version of the PCI and DSS.
To maintain PCI compliance, Fitstop franchisees are responsible for using all required tools, systems, and vendors to complete ongoing PCI requirements. These include quarterly external security scans and annual self-assessment questionnaires. Franchisees are also obligated to alert Fitstop no later than 24 hours following a suspected or confirmed data security breach.
Furthermore, Fitstop franchisees are not permitted to collect, store, transfer, or handle any unnecessary customer information, highlighting the importance of data minimization to reduce potential security risks and compliance burdens.