What responsibilities does an Even Hotels client have regarding cardholder data security and storage?
Even_Hotels Franchise · 2025 FDDAnswer from 2025 FDD Document
, applicable to the Card types you accept. You are responsible for staying up to date with all changes to Card Organization Rules and maintaining compliance with Card Organization Rules. Card Organization Rules may be available on websites such as https://usa.visa.com, http://www.mastercard.com/us/merchant/support/rules.html, www.discovernetwork.com/en-us, and www.americanexpress.com/merchantopguide, as links and their content may change from time to time.
- 3.2 Applicable Law. Each party is responsible for determining all Applicable Law that is applicable to it and for complying with all such Applicable Law in connection with the Agreement.
- 3.3 Your Payments Acceptance Guide. You agree to comply with the Your Payments Acceptance Guide, as it may change over time ("Your Payments Acceptance Guide"). The current Your Payments Acceptance Guide is available at www.businesstrack.com. To the extent of any inconsistencies between these Terms and Conditions and the Your Payments Acceptance Guide, these Terms and Conditions will govern.
- 3.4 Conflicts. For the avoidance of doubt, your use of the Services, the transactions you process, and all of your acts and omissions must comply with the Agreement, Applicable Law, and Card Organization Rules (including PCI DSS). If there is a conflict between Applicable Law, Card Organization Rules, and the Agreement, the conflict shall be governed in the following order of precedence: (1) Applicable Law; (2) Card Organization Rules; and (3) the Agreement.
4 Data Security and Third Parties Used by Client
The following is important information regarding the protection of Cardholder data. Please review carefully as failure to comply can result in substantial liabilities and termination of the Agreement.
- 4.1 Payment Card Industry Data Security Standard.
- (a) You Must Comply with PCI DSS. As part of your obligation to comply with Card Organization Rules, you are required to comply with PCI DSS. PCI DSS compliance is focused on Merchant Systems where Cardholder data can be accessed, processed, stored, or transmitted, including external connections into your network, connections to and from the authorization and settlement environment (e.g., connections for employee access or for devices such as firewalls and routers), and data repositories outside of the authorization and settlement environment. Information about PCI DSS can be found at www.pcisecuritystandards.org. You also are solely responsible for ensuring that all Merchant Providers, Merchant Systems, Third Parties, Third Party Services, equipment, and software that you use in connection with Card transactions comply with Card Organization Rules, including PCI DSS.
- (b) Non-Compliance. The Card Organizations or we may impose fines or penalties, or restrict you from accepting Cards, if it is determined that you are not compliant with the applicable data security requirements. Subject to Section 4.3, we may in our sole reasonable discretion suspend certain or all Services under the Agreement if we reasonably believe in good faith and based on evidence that an actual or suspected data security compromise has occurred, provided that we will use reasonable efforts to provide you advance written notice of such suspension, unless such notice is prohibited by Applicable Law or Card Organizations Rules. We will use commercially reasonable efforts to implement a workaround that allows you to continue receiving Card processing services from us during the suspension and we will remove the suspension and restore Services promptly after the threat has been resolved. If we reasonably believe in good faith and based on evidence that actual data security compromise has occurred which creates liability exposure for us, we may terminate the Agreement upon written notice to you.
- (c) We Must Comply with PCI DSS. We, and the systems and service providers we use, also must comply with PCI DSS and any additional Card Organization Rules applicable to our Services.
- 4.2 Compliance Audits. Each party may be subject to ongoing validation of its compliance with PCI DSS standards. Furthermore, if we suspect a breach of your compliance obligations under the Agreement, we retain the right to conduct an audit at your expense, performed by us or a Third Party designated by us to verify your compliance, or that of your
agents or Merchant Providers.
Source: Item 23 — RECEIPTS (FDD pages 99–438)
What This Means (2025 FDD)
According to Even Hotels' 2025 Franchise Disclosure Document, franchisees have extensive responsibilities regarding cardholder data security. Even Hotels requires franchisees to comply with the Payment Card Industry Data Security Standard (PCI DSS) and all Card Organization Rules, ensuring that all systems, providers, and services involved in card transactions meet these security standards. This includes securing Merchant Systems where cardholder data is accessed, processed, stored, or transmitted, and ensuring compliance from any Merchant Providers used.
Even Hotels franchisees must immediately notify the franchisor, no more than 24 hours after discovery, if Transaction Data is suspected of unauthorized access. If a data breach occurs, the franchisee is responsible for conducting an independent investigation, including a forensic analysis by a certified vendor, providing a copy of the vendor's report, and performing any recommended remedial actions. Franchisees must also cooperate with Even Hotels in the investigation and resolution of any security breach, potentially bearing the expense of a forensic vendor engaged by the franchisor if required by a Card Organization.
Non-compliance with data security requirements can result in fines, penalties, or restrictions on accepting cards. Even Hotels may suspend services if a data security compromise is suspected, and may terminate the agreement if an actual data security compromise creates liability exposure for the franchisor. Furthermore, Even Hotels retains the right to audit the franchisee's compliance, or that of their agents or Merchant Providers, at the franchisee's expense if a breach of compliance obligations is suspected. These measures are in place to protect cardholder data and maintain the integrity of the payment processing system, but place a significant burden and potential financial risk on the franchisee.