Blog homeLast week Tim Hughes from “The BOOT” (a blog about the business of online travel) highlighted, in this post, that 2 well known hotel online travel agents (OTAs) allegedly maintain lax security on their customer credit card data.
In particular Tim mentions
- Booking.com (part of Priceline - Nasdaq:PCLN) - Europe’s leading online hotel reservations agency by room nights sold (Based in Holland)
- CentralR.com - An online hotel reservation company based in Ireland
The prolem that Tim outlines is a process problem not unique to how the two named agents operate. In essence the business process is as follows:
- Customer makes online booking on an online hotel reservation website (or partner site)
- The end customer gives their credit card information to the central website
- The credit card details are transmitted (sometimes by fax) to the end hotel. The hotel can then use these credit card details in order to charge a customer in the event that they cancel or “no show” their reservation. The detail that is transmitted to the hotel contains all information required to charge a card, including the ID number found on the back of cards.
So what is wrong with this?
All companies that handle credit card information have to comply with the PCI (Payment Card Industry) credit card standards.
- These can be found on this website
- Download the standard (PDF) (base of this page)
Adherence to these standards isn’t voluntary - but mandatory. They are agreed by both Visa and Mastercard and are the industry standard.
Some sample standards that can be found in the document….
- The CVC2/CVV2/CID numbers are not permitted to be stored
- Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit (Alex’s note - this I assume includes fax machines)
- Identify all users with a unique user name before allowing them to access system components or cardholder data (Alex’s note - NOT generic usernames or one username per hotel)
- Change passwords at least every 90 days
- Physically secure all paper and electronic media (including computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder data
- Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data including the following:
- Classify the media so it can be identified as confidential
- Send the media by secured courier or other delivery method that can be accurately tracked (Alex’s note - this onus is on the sender, not the recipient - so the hotel booking agency can’t say that it is down to the hotel how they secure their incoming faxes)
- Screen potential employees to minimize the risk of attacks from internal sources (Alex’s note - unless the employee is a store cashier who only have access to one card number at a time)
- If cardholder data is shared with service providers, then contractually the following is required:
- Service providers must adhere to the PCI requirements (Alex’s note - i.e. hotels must adhere)
- Agreement that includes an acknowledgement that the service provider is responsible for the security of cardholder data the provider processes
and I could go on…..
The last standard is an interesting one…. it seems to put the onus on the hotelier to adhere to PCI standards…. so perhaps this is what the hotel OTAs are relying on.
Conclusion
It seems that as a result of working with many small and independent hotels that somehow letting the hotel receive the card details is the only way that these large OTA hotel booking agencies are able to operate their business.
Is their whole business model at risk?
After all, hotels are known for employing temporary staff…. and as comments in Tim’s original post point out many hotels store credit card numbers in excel files on desktop computers…. The credit card providers are becoming tougher and tougher with ensuring PCI compliance so watch out hotels……
If you want to be notified next time something is published sign up for email alerts or subscribe to the RSS feed. Thank you for reading!
Orbiscom Ltd, a Dublin Ireland based company, originated a product in 1999 that can handle this issue…and the product is offered for free on credit and debit cards by many of the world’s leading credit and debit card issuers in the US and Europe (Citibank, Bank of America, PayPal, etc). A disposable card number, linked to a consumer’s real card number, is generated along with a one-time-use CVV and expiration date. These details can be given to the hotel when making a reservation and if the data is compromised there is no risk to the consumer since the disposable numbers were generated with specific controls set for the hotel, an amount, and an expiration date. The disposable numbers can then be used to settle the bill when the consumer checks out, or the consumer can put the bill on the “real” card account. The card companies have not done a lot of marketing for these products so many consumers do not even know they have access to them. I suggest people call their card company and ask how to sign up (it’s free) or ask why their company does not offer them if they don’t. Millions of cardholders have used them so far…on billions of dollars of e-commerce.
Diane,
Thank you for your feedback.
The PCI standards don’t distinguish between storage of “throwaway” credit card numbers vs “real” numbers. (Probably because they can’t be distinguished without specific knowledge?).
So I can see how your system could help consumers - but not help the hotels - or am I missing something?