factual

What responsibilities does a Crowne Plaza client have regarding cardholder data security and storage?

Crowne_Plaza Franchise · 2025 FDD

Answer from 2025 FDD Document

uding the Payment Card Industry Data Security Standard ("PCI DSS"), applicable to the Card types you accept. You are responsible for staying up to date with all changes to Card Organization Rules and maintaining compliance with Card Organization Rules. Card Organization Rules may be available on websites such as https://usa.visa.com, http://www.mastercard.com/us/merchant/support/rules.html, www.discovernetwork.com/en-us, and www.americanexpress.com/merchantopguide, as links and their content may change from time to time.

  • 3.2 Applicable Law. Each party is responsible for determining all Applicable Law that is applicable to it and for complying with all such Applicable Law in connection with the Agreement.
  • 3.3 Your Payments Acceptance Guide. You agree to comply with the Your Payments Acceptance Guide, as it may change over time ("Your Payments Acceptance Guide"). The current Your Payments Acceptance Guide is available at www.businesstrack.com. To the extent of any inconsistencies between these Terms and Conditions and the Your Payments Acceptance Guide, these Terms and Conditions will govern.
  • 3.4 Conflicts. For the avoidance of doubt, your use of the Services, the transactions you process, and all of your acts and omissions must comply with the Agreement, Applicable Law, and Card Organization Rules (including PCI DSS). If there is a conflict between Applicable Law, Card Organization Rules, and the Agreement, the conflict shall be governed in the following order of precedence: (1) Applicable Law; (2) Card Organization Rules; and (3) the Agreement.
    • 4 Data Security and Third Parties Used by Client

The following is important information regarding the protection of Cardholder data. Please review carefully as failure to comply can result in substantial liabilities and termination of the Agreement.

  • 4.1 Payment Card Industry Data Security Standard.
    • (a) You Must Comply with PCI DSS. As part of your obligation to comply with Card Organization Rules, you are required to comply with PCI DSS. PCI DSS compliance is focused on Merchant Systems where Cardholder data can be accessed, processed, stored, or transmitted, including external connections into your network, connections to and from the authorization and settlement environment (e.g., connections for employee access or for devices such as firewalls and routers), and data repositories outside of the authorization and settlement environment. Information about PCI DSS can be found at www.pcisecuritystandards.org. You also are solely responsible for ensuring that all Merchant Providers, Merchant Systems, Third Parties, Third Party Services, equipment, and software that you use in connection with Card transactions comply with Card Organization Rules, including PCI DSS.
    • (b) Non-Compliance. The Card Organizations or we may impose fines or penalties, or restrict you from accepting Cards, if it is determined that you are not compliant with the applicable data security requirements. Subject to Section 4.3, we may in our sole reasonable discretion suspend certain or all Services under the Agreement if we reasonably believe in good faith and based on evidence that an actual or suspected data security compromise has occurred, provided that we will use reasonable efforts to provide you advance written notice of such suspension, unless such notice is prohibited by Applicable Law or Card Organizations Rules. We will use commercially reasonable efforts to implement a workaround that allows you to continue receiving Card processing services from us during the suspension and we will remove the suspension and restore Services promptly after the threat has been resolved. If we reasonably believe in good faith and based on evidence that actual data security compromise has occurred which creates liability exposure for us, we may terminate the Agreement upon written notice to you.
    • (c) We Must Comply with PCI DSS. We, and the systems and service providers we use, also must comply with PCI DSS and any additional Card Organization Rules applicable to our Services.
  • 4.2 Compliance Audits. Each party may be subject to ongoing validation of its compliance with PCI DSS standards. Furthermore, if we suspect a breach of your compliance obligations under the Agreement, we retain the right to conduct an audit at your expense, performed by us or a Third Party designated by us to verify your compliance, or that of your

agents or Merchant Providers.

Source: Item 23 — Receipts (FDD pages 100–424)

What This Means (2025 FDD)

According to the 2025 FDD, Crowne Plaza franchisees must adhere to strict data security protocols to protect cardholder information. A critical aspect of this is compliance with the Payment Card Industry Data Security Standard (PCI DSS), which focuses on securing Merchant Systems where cardholder data is accessed, processed, stored, or transmitted. This includes securing external network connections, connections to authorization and settlement environments, and data repositories. Franchisees are also responsible for ensuring that all Merchant Providers, Merchant Systems, Third Parties, equipment, and software used for card transactions also comply with PCI DSS.

Crowne Plaza franchisees must ensure that any Merchant Providers they use also adhere to these data security standards. Before engaging a Merchant Provider, the franchisee must provide the franchisor with the provider's legal name, contact information, and intended function in writing and receive approval. Franchisees must also ensure that they and their Merchant Providers comply with registration processes, periodic reporting, and all applicable Card Organization Rules related to cardholder data security. Access to cardholder data by Merchant Providers should only be allowed for authorized purposes that conform to Card Organization Rules.

If a data breach occurs or is suspected, Crowne Plaza franchisees are required to notify the franchisor immediately, no more than 24 hours after becoming aware of the activity. They are also responsible for conducting an independent investigation, including a forensics analysis by a certified vendor, providing a copy of the vendor's report to the franchisor and Card Organizations, performing any recommended remedial actions, and cooperating with the franchisor in resolving the breach. Failure to comply with these data security requirements can result in fines, penalties, or restrictions on accepting cards. The franchisor retains the right to audit the franchisee's compliance, or that of their agents or Merchant Providers, at the franchisee's expense if a breach is suspected.

Disclaimer: This information is extracted from the 2025 Franchise Disclosure Document and is provided for research purposes only. It does not constitute legal or financial advice. Consult with a franchise attorney before making any investment decisions.
All Crowne_Plaza 2025 FAQs Ask FDD Ninja