What are the Crowne Plaza franchisee's responsibilities for maintaining application access control to align with Payment Card Industry Data Security Standards (PCI-DSS)?

According to the 2025 Crowne Plaza FDD, franchisees are responsible for establishing and maintaining proper application access control to align with Payment Card Industry Data Security Standards (PCI-DSS). This involves ensuring that the computerized property management system (PMS) operates in conformance with the standards set by SCH (presumably, the franchisor or a related entity). The PMS must have a database schema and shell approved by SCH to ensure proper interface with the Reservation System.

To maintain security and compliance, franchisees must keep operating systems, databases, and other programs updated with current, approved security patches that are fully supported by the software vendors. The PMS must be periodically updated to conform to SCH-approved software versions, technology advancements, and security requirements. This may necessitate replacing or upgrading certain hardware or software components. At a minimum, the PMS hardware and software must be replaced every 48 months. PMS hardware includes servers, workstations, printers, monitors, UPS, back-up devices, and associated network components.

Crowne Plaza requires all hotels to obtain and install NextGen Payments (NGP), a data security process designed to protect credit card information. NGP uses PCI-certified payment terminals to encrypt credit card data and convert it to tokens before the data enters the PMS. Franchisees must ensure that the hardware and software systems required to connect to NGP are fully operational when the hotel opens and that management and staff are trained and competent to operate NGP at all times. Franchisees are also required to enter into agreements with Fiserv (the SCH-approved merchant service provider) and FreedomPay.