Ask HN: Booking.com sends raw CC data to Hotels. Is it legal?
A friend of mine has a hotel and hostel and is partner with booking.com. He received 100s of CC raw data each day.
There is no protection whatsoever. Booking doesn't manage payments on their own, they send the data clean-text directly to the hotel owner to process them using their own POS.
Is it legal? this is Masive.
19 comments
[ 3.4 ms ] story [ 31.4 ms ] threadAm I shocked? no... reminds me of ACH and the file format they use.
Do they do this via a partnership with MasterCard or something? Basically similar to prepaid cards?
But there are plenty of reasons not to do business with Bank of America. I'm no shill for them.
I like privacy.com for this purpose - works well plus it can anonymize transactions to make them opaque to the bank.
Shift payments is another option in the US - don't think they're in the UK either.
https://partnerhelp.booking.com/hc/en-us/articles/213317965-...
When a guest makes a booking and is being charged on your behalf, you'll receive a virtual credit card from an external payment provider along with the booking details. This card gives you access to the exact amount, and you can charge it according to the charge date. Paid online will show in the Status column on the Extranet’s Reservations page, showing that the guest has been charged on your behalf.
I imagine there's a clause in the PCI compliance rules that allows raw card numbers to be sent less securely if they are virtual + single use card numbers or maybe if the liability of fraud on those card numbers doesn't fall on the "original" card holders.