
Ask HN: Booking.com sends raw CC data to Hotels. Is it legal? - imd23
A friend of mine has a hotel and hostel and is partner with booking.com. He received 100s of CC raw data each day.<p>There is no protection whatsoever. Booking doesn&#x27;t manage payments on their own, they send the data clean-text directly to the hotel owner to process them using their own POS.<p>Is it legal? this is Masive.
======
its_trivial
they send raw credit card numbers, they dont send YOUR credit card number.
They create a disposable credit card number, which they send down to the
hotel, linked to your credit card. Its like a token in the form of a different
credit card number. The hotel doesnt know the difference and the disposable
credit card number has a fixed limit which is what you paid for your room.
After that it is discarded, I dont know what happens to it afterwards. Edit: I
work for a large hospitality software company, those numbers go thru us before
they get to the hotel.

~~~
sova
PayPal used to offer one-time use disposable CC numbers. The limit fixed at
the right price is a good innovation. Thanks for sharing!

~~~
cjmoran
My bank (Bank of America) offers this feature, but it's a bit buried in the
menus. Custom limits and everything, it's pretty useful.

But there are plenty of reasons not to do business with Bank of America. I'm
no shill for them.

~~~
e1g
Thanks, I'm with BoA and didn't know about the feature (it's called ShopSafe,
for others).

I like privacy.com for this purpose - works well plus it can anonymize
transactions to make them opaque to the bank.

~~~
pmulv
I love privacy.com - I can kill the debit cards I generate and use with
specific merchants when they have been exploited.

------
boysabr3
I think you have the answer already and IANAL but just to add on, in most
countries this a matter of PCI compliance that is enforced by the card
networks. In most countries it's not a criminal offence to be PCI non-
compliant (but you could be liable for civil suits and fines by the card
schemes).

I imagine there's a clause in the PCI compliance rules that allows raw card
numbers to be sent less securely if they are virtual + single use card numbers
or maybe if the liability of fraud on those card numbers doesn't fall on the
"original" card holders.

------
siquick
You should edit the context of this question based upon the answer from
its_trivial :
[https://news.ycombinator.com/item?id=16103175](https://news.ycombinator.com/item?id=16103175)

------
damm
If you want to know it's legal ask a lawyer.

Am I shocked? no... reminds me of ACH and the file format they use.

