Darren,

Seems you open doors who are already open since years
“If the hotel booking website transfers all the credit and debit card data to any hotel and any human staff at the hotel can write down the details and then go shopping online”

At the end, it’s the reception desk who have all your data.

Some keep it save, some have a excel sheet or book with credit card number or other process.

The Boot in a old post talk about it.

Best regards

Claude

Report comment

The first to ask with this anecdote is what did your emailer say to the hotel when he saw his details displayed in such a way.

Did they have an excuse? Is it a process they use for all their 3rd party registrations? Did they promise to destroy the CC numbers immediately?

Report comment

Most good businesses (if following good practice) should comply to at least some of the PCI (Payment Card Industry) Compliance Guidelines (http://www.pcicomplianceguide.org/). It covers a wide variety of card security aspects, ranging from whether card details are stored, and if they are, are they encrypted, to SSL certificates, to reviewing the physical network where servers sit and who has access to them.

Don’t forget, the same could apply if you telephone a call centre – they could be writing your details down on a piece of paper instead of inputting them straight into their system (which might not be PCI Compliant anyway!).

Report comment

Well this problem occurs when there are used booking systems that do not store credit card details (eg booking.com) they only send these details in a text format. There are other booking systems which operate by themselves the transaction using a third party epayment system, in these case all the details are being kept by the epayment system.
Yes, we cannot talk about security when all your CC details are being handwritten on a sheet of paper. But on the other hand we have to think about the hotel, many of them receive false details and cannot charge the no shows.

Report comment

It’s a great question. No matter how reliable the system is you book with, the details are nearly always going to be passed on to the property in some way/shape/form at some stage. Typically this would again be in some secure fashion, but from there on out, it’s the property that is in charge. Chances are they just copy it directly off their screen on to some system of their own that isn’t secured, or like this guest noticed, directly on to a piece of paper…

Report comment

I agree with Karl – Use a credit card that has payment protection. I have worked in various online hotel booking businesses, and while security was taken seriously in the office, transmission was often by fax and sometimes email. Clients who did not want to book online because they were worried about security emailed us their CC details!, and some hotels could only accept emailed or faxed CC details. Moreover hotels often need to verify card details when they arrive (not trusting online systems to do it for them, or wanting to chase us for cancellation fees if the client did not show up), and so needed to get their own copies of the card numbers – when they would most likely scribble on scraps of paper. Try forcing CC security on owners of small moroccan riads!

Report comment

It’s not illegal to store the CSV, but under the PCI Compliance Guidelines you are meant to encrypt it to a certain level to ensure that if that database is compromised there is less chance of someone being able to decipher it. A lot of payment processors don’t actually use the CSV number still – they ask you to input it, but it’s not actually used.

Report comment

When I book hotels, I use the GDS (Amadeus, at present, worse luck). With Agency bookings, we do have to use a credit card as a guarantee only and use the long number and the expiry date, not the CSV number. Even with pre-paid depsit type bookings. That said, I do not like the pre-paid bookings as it does rather rely on a harrassed receptionist with a queue of 4 people in a hurry at 06 cor blimey o’clock managing to find the pre-payment. Normal “cancel by 1600 day of arrival” type rooms can be worth paying the extra few pounds for (especially in business travel where plans change) . I am also rather keen on the good old fashioned “pay your bill when you leave” type hotel booking, then no-one needs to write down anything.

Report comment

Darren,

This is just not a travel problem, it is a wide problem and applies to when ever you use the card online or over the phone.

Report comment

I strongly agree with Darren that this is a problem and I will add more details later on, but I do not agree at all that because there is lack of security in other markets, or because “it’s always been like that”, online travel sites should not do anything about it!

On the opposite, online sites have the chance to do it right.

I am very confortable with paying with credit card if I know the site is secured via SSL + the payment is processed through a secure payment gateway + the card number is then deleted or encrypted without ANY human being seeing it at all. If someone human has to access my credit card details, I want to decide who to trust. (Note: I am not speaking about situations of serious attacks here, I am concerned about the standard process).

If currently, through online retail hotel sites millions of full credit card details are being transferred in clear to thousands of hotels every month, and made available to tens of thousands of receptionists, I think there is a problem.

Report comment

Generally it appears common that the credit card details are passed to the hotel receptionists. They should not need the CSV code though. In the end most security systems fail at the human factor.

Report comment

This topic keeps coming back every year but nobody seems to tackle this problem from the Visa/Amex/ and other credit card companies point of view.

There was a day where hotels could simply debit a VISA credit card for one night if the customer fail to check in or forget to cancel his hotel bookings in line with the canx policy. The hotel front desk only needed the cc number + the expiry date.

But now it looks like the VISA machine also ask for the CVC number to debit this first night.

Now take a step back, do you really see hotels calling back the customer (if he has his details, not al OTAs ask for a phone number) and ask them for CVC number to debit a room they never stayed in? Could you imagine the argument/negotiation over the phone?

To avoid all this payment issue, the solution would be that the customer will always prepay this 1st night at the time of your booking. But who will take this payment? I don’t think Booking.com will do this as they are not considered as merchant. So it would still be the responsability of the hotel to call back the customer and ask for this number…

Report comment

I think I have a solution to how OTAs can work with consumers and hotels in a PCI compliant way while permitting hotels to charge consumer cards without the details flying around the place

Let me spend some time documenting it and I will write it up as a blog post.

It is a solution we just put into our own reservation system and I *think* I can see how it could be used in a multi legal entity way (i.e. OTA, hotel, consumer)

I do agree the current state of affairs is pretty scandalous from a consumer’s perspective.

Report comment

[...] cards are currently insecurely transmitted between online travel websites and individual hotels. [See blog post]. This is a classic problem that needs an entrepreneur to come along and address. In two years, [...]

Report comment

While there is currently no good solution to this problem- short of RFID tags, which would probably end up being subject to same problems anyhow- booking a prepaid room (at least) limits the number of humans that will be in contact with your credit card number. When you book a prepaid room through a third party website, no one at the hotel is ever in contact with your credit card information- the booking agency provides the hotel with a company credit card number to charge. There are definite headaches involved with prepaying (often higher rates to compensate for commission, stricter cancellation policies, call-center customer service), but you can be a complete jerk to the front desk clerk without worrying about her/him stealing your information for retribution.

Report comment

Hi Darren,
I found your post mentioned on Alex Bainbridge’s blog and it is shocking to “read all about it”. I had no idea things could be like this.
It seems our travel company is the “securest of them all”!

Let me explain:
When we book a hotel for a customer, we take their credit card details via a secure page (on our website). The details get encrypted (so browser to server=secure) and we receive them (individually) encrypted (server to email=secure). We have on our receiving computer special software and with the use of a password we decrypt the details (momentarily). We charge the card on our banks secure gateway.
The email with the details remains encrypted, secure. We do not store these details in our customer database.

We charge our customers a refundable deposit (about 20%) and they pay the balance directly to the hotel, when they check out.
KEY: We DO NOT GIVE THEIR CREDIT CARD DETAILS TO THE HOTEL – EVER!
We have built relationships of trust with our hotels, so we have arranged that they do not receive the customer’s credit card details at all. The guest pays with their card when they leave. The hotel trusts us to charge a cancellation fee if the situation occurs.
In that way, we totally circumvent the problem of unsecure transmittal of credit cards to the hotels.

I know some people may prefer to not pay a deposit, but with us refunds are easy & quick, the card details are secure, so I think it’s a better way.

By the way, we have researched and implemented the encryption/decryption setup ourselves, so if any small travel agent reading this is is interested, we can help them set it up.

Report comment

Hi Lina

That solution sounds, from your description, not to be PCI compliant.

For example, while the transmission to your server may be secured (via SSL) they are momentarily unencrypted on your server before encryption in email.

Happy to be corrected if I have misunderstood how you have made your system PCI compliant.

Who does your PCI auditing incidentally? I don’t see a logo such as from McAfee Secure on your site – http://www.mcafeesecure.com

Report comment

Hi Alex.
As discussed in more detail by email between us, we are PCI compliant.

The “solution” is merely a way to add a security layer on top of SSL, by using an encryption script & public key on the web server and a decryption program and private password on a company PC. So the sensitive emails remain always encrypted (AES128 encryption).

For full PCI compliance, agents should consult the requirements described in the documents found here: https://www.pcisecuritystandards.org/

Report comment

Hi Lina

Quoting from the standards:

“11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV) qualified by Payment Card Industry Security Standards Council (PCI SSC). Scans conducted after network changes may be performed by the company’s internal staff.”

As you say you are PCI compliant I assume you do have the scans in place (required even if self auditing) – which is good news for your customers. Would have been easier if you had just said that as I asked this question in the comment above!

Report comment

This is an interesting thread and one which I am pleased to say we manage effectively. At no stage, either through personal contact over the telephone or via an online booking, does any hotel or private villa owner get supplied with customers credit card details when booking through us. We don’t even retain the CVC number at all. If we need to carry out a further transaction with our customers we contact them again for their number. Our gateway provider doesn’t supply the CVC number to us, so if the booking is made live online even we do not have access to this number. I am happy with our security levels and know that this is crucial to us flourishing online. If we have a single slip up it could ruin our entire business and wreck hard won credibility. All our transactions are secure over the net with 128 bit SSL encrypted transactions. We provide booking solutions to private villa owners and small luxury boutique hotels and our guests know we take care of their security above all else. I would not do business with anyone that doesn’t ensure customer confidence, privacy and reliability.

Report comment