What cardholder data security and storage requirements must an Even Hotels franchisee comply with?
Even_Hotels Franchise · 2025 FDDAnswer from 2025 FDD Document
, applicable to the Card types you accept. You are responsible for staying up to date with all changes to Card Organization Rules and maintaining compliance with Card Organization Rules. Card Organization Rules may be available on websites such as https://usa.visa.com, http://www.mastercard.com/us/merchant/support/rules.html, www.discovernetwork.com/en-us, and www.americanexpress.com/merchantopguide, as links and their content may change from time to time.
- 3.2 Applicable Law. Each party is responsible for determining all Applicable Law that is applicable to it and for complying with all such Applicable Law in connection with the Agreement.
- 3.3 Your Payments Acceptance Guide. You agree to comply with the Your Payments Acceptance Guide, as it may change over time ("Your Payments Acceptance Guide"). The current Your Payments Acceptance Guide is available at www.businesstrack.com. To the extent of any inconsistencies between these Terms and Conditions and the Your Payments Acceptance Guide, these Terms and Conditions will govern.
- 3.4 Conflicts. For the avoidance of doubt, your use of the Services, the transactions you process, and all of your acts and omissions must comply with the Agreement, Applicable Law, and Card Organization Rules (including PCI DSS). If there is a conflict between Applicable Law, Card Organization Rules, and the Agreement, the conflict shall be governed in the following order of precedence: (1) Applicable Law; (2) Card Organization Rules; and (3) the Agreement.
4 Data Security and Third Parties Used by Client
The following is important information regarding the protection of Cardholder data. Please review carefully as failure to comply can result in substantial liabilities and termination of the Agreement.
- 4.1 Payment Card Industry Data Security Standard.
- (a) You Must Comply with PCI DSS. As part of your obligation to comply with Card Organization Rules, you are required to comply with PCI DSS. PCI DSS compliance is focused on Merchant Systems where Cardholder data can be accessed, processed, stored, or transmitted, including external connections into your network, connections to and from the authorization and settlement environment (e.g., connections for employee access or for devices such as firewalls and routers), and data repositories outside of the authorization and settlement environment. Information about PCI DSS can be found at www.pcisecuritystandards.org. You also are solely responsible for ensuring that all Merchant Providers, Merchant Systems, Third Parties, Third Party Services, equipment, and software that you use in connection with Card transactions comply with Card Organization Rules, including PCI DSS.
- (b) Non-Compliance. The Card Organizations or we may impose fines or penalties, or restrict you from accepting Cards, if it is determined that you are not compliant with the applicable data security requirements. Subject to Section 4.3, we may in our sole reasonable discretion suspend certain or all Services under the Agreement if we reasonably believe in good faith and based on evidence that an actual or suspected data security compromise has occurred, provided that we will use reasonable efforts to provide you advance written notice of such suspension, unless such notice is prohibited by Applicable Law or Card Organizations Rules. We will use commercially reasonable efforts to implement a workaround that allows you to continue receiving Card processing services from us during the suspension and we will remove the suspension and restore Services promptly after the threat has been resolved.
Source: Item 23 — RECEIPTS (FDD pages 99–438)
What This Means (2025 FDD)
According to Even Hotels' 2025 Franchise Disclosure Document, franchisees must adhere to stringent data security and storage requirements to protect cardholder information. A key requirement is compliance with the Payment Card Industry Data Security Standard (PCI DSS), which focuses on securing Merchant Systems where cardholder data is accessed, processed, stored, or transmitted. This includes securing external network connections, connections to authorization and settlement environments, and data repositories. Franchisees are also responsible for ensuring that all Merchant Providers, Third Parties, equipment, and software used for card transactions comply with Card Organization Rules, including PCI DSS.
Even Hotels franchisees must ensure adequate security and backup procedures are in place to prevent unauthorized access, use, or loss of data, meeting at least the standard of care in the industry. Franchisees must also comply with all applicable laws, including Data Privacy Laws, contractual obligations, and credit card processing industry requirements, such as PCI DSS and any successor standards. IHG may provide additional security and data protection practice requirements in writing, which franchisees must comply with within thirty days of the update. Failure to comply with these data security requirements can result in fines, penalties, or restrictions on accepting cards, potentially impacting the franchisee's revenue and operations.
If a data security breach occurs or is suspected, Even Hotels franchisees are required to immediately notify Even Hotels, no more than 24 hours after becoming aware of the activity. Franchisees are responsible for conducting an independent investigation, including a forensics analysis by a certified vendor, and providing a copy of the vendor's report to Even Hotels and Card Organizations. They must also implement any recommended remedial actions and cooperate with Even Hotels in the investigation and resolution of the breach. Even Hotels retains the right to conduct audits at the franchisee's expense to verify compliance with these obligations, and may suspend services or terminate the agreement if a significant data security compromise occurs, highlighting the critical importance of maintaining robust data protection measures.