Who is responsible for the security of cardholder data related to a Southern Steer franchise?
Southern_Steer Franchise · 2025 FDDAnswer from 2025 FDD Document
- 9.6.
Enforcement.
Franchisor may require Franchisee compliance with the provisions of this Section 9 even if it does not require such compliance by all franchisees.
- 9.7.
Data Security.
The Franchisee acknowledges it is responsible for the security of cardholder data, financial data, and personally identifiable information (collectively, "Sensitive Information") in its possession or in the possession or control of any service provider or third party-provided payment application provider that the Franchisee engages to perform under this Agreement.
Upon request by the
Franchisor, such subcontractors must be identified to the Franchisor in writing prior to sharing Sensitive Information with the subcontractor.
The Franchisee will encrypt all Sensitive Information that will be transmitted over networks or in storage, and all Sensitive Information at rest.
These security measures will be reviewed at least annually.
- (a) Payment Card Industry Data Security Standards.
To the extent the Franchisee stores, processes, transmits or otherwise accesses or possesses Sensitive Information, the Franchisee agrees it will adhere to, and cause any service provider or third party-provided payment applications to adhere to cardholder data security standards according to the thencurrent Payment Card Industry Data Security Standards ("PCI DSS") throughout the Initial Term of this Agreement and an Interim Period.
At a minimum, the Franchisee will, at its sole cost and expense, implement and maintain, and hereby represents and warrants that it has implemented and maintained, all appropriate technical, organizational and physical measures, but no less than PCI DSS, to ensure the security, reliability and confidentiality of the Sensitive Information submitted to it or otherwise obtained by the Franchisee, including protecting against any threats or hazards to the security or integrity of the Sensitive Information that the Franchisee should reasonably be able to anticipate, and against unauthorized access to or use of the Sensitive Information.
- (b) Inspection of Security Measures.
Source: Item 22 — ITEM. 22 CONTRACTS (FDD pages 61–168)
What This Means (2025 FDD)
According to Southern Steer's 2025 Franchise Disclosure Document, the franchisee is responsible for the security of cardholder data, financial data, and personally identifiable information, collectively referred to as "Sensitive Information." This responsibility extends to data in the franchisee's possession or under the control of any service provider or third-party payment application provider they engage.
The franchisee must encrypt all Sensitive Information transmitted over networks or stored, including data at rest. These security measures must be reviewed at least annually. Franchisees must adhere to the Payment Card Industry Data Security Standards (PCI DSS) to the extent they store, process, transmit, or access Sensitive Information. They are required to implement and maintain all appropriate technical, organizational, and physical measures, no less than PCI DSS, to ensure the security, reliability, and confidentiality of the Sensitive Information.
This includes protecting against threats and unauthorized access. The franchisee also warrants that they have implemented and maintained these measures. Subcontractors used by the franchisee must be identified to Southern Steer in writing before Sensitive Information is shared with them. Southern Steer may require the franchisee to comply with these data security provisions, even if it does not enforce such compliance across all franchisees.