What documentation must a Potbelly Sandwich Works franchisee provide to demonstrate PCI compliance?
Potbelly_Sandwich_Works Franchise · 2025 FDDAnswer from 2025 FDD Document
Despite the fact that you must buy, use, and maintain the Computer System according to our standards and specifications, you have sole and complete responsibility for: (1) the acquisition, operation, maintenance, and upgrading of the Computer System; (2) the manner in which your Computer System interfaces with our and any third-party's computer system; (3) any and all consequences if the Computer System is not properly operated, maintained, and upgraded; and (4) complying at all times with the most current version of the Payment Card Industry Data Security Standards. You must provide us with, at a minimum, your annual Attestation of Compliance ("AOC") demonstrating that you have completed all of the necessary actions to be PCI compliant. The Computer System must permit twenty-four (24) hours per day, seven (7) days per week electronic communications between you and us, including access to the Internet and our then-current System Website and Intranet (if applicable). We always will have unlimited, independent access to the Computer System, although we will not have any access to employeeor employment-related information for your Shop's employees.
Source: Item 22 — CONTRACTS (FDD page 79)
What This Means (2025 FDD)
According to Potbelly Sandwich Works' 2025 Franchise Disclosure Document, franchisees must provide an annual Attestation of Compliance (AOC) to demonstrate they have taken all necessary steps to be PCI compliant. This requirement is tied to the franchisee's responsibility for the Computer System, which they must buy, use, and maintain according to Potbelly Sandwich Works' standards.
This means that franchisees are responsible for ensuring their computer systems and payment processes meet the Payment Card Industry Data Security Standards (PCI DSS). The AOC serves as proof that the franchisee has completed the required actions to protect customer payment data. Failing to maintain PCI compliance could result in fines, penalties, and potential legal liabilities for the franchisee.
Potbelly Sandwich Works also retains unlimited access to the franchisee's Computer System, although this access excludes employee or employment-related information. Additionally, Potbelly Sandwich Works may use and disclose financial or other information from the Computer System to third parties, including prospective franchisees and financial advisors. Franchisees must obtain necessary consents from third parties, including customers, to allow this information sharing.