Ask HN: Booking.com sends raw CC data to Hotels. Is it legal?

33 points_hv998y ago19 comments

A friend of mine has a hotel and hostel and is partner with booking.com. He received 100s of CC raw data each day.

There is no protection whatsoever. Booking doesn't manage payments on their own, they send the data clean-text directly to the hotel owner to process them using their own POS.

Is it legal? this is Masive.

19 comments

its_trivial8y ago

they send raw credit card numbers, they dont send YOUR credit card number. They create a disposable credit card number, which they send down to the hotel, linked to your credit card. Its like a token in the form of a different credit card number. The hotel doesnt know the difference and the disposable credit card number has a fixed limit which is what you paid for your room. After that it is discarded, I dont know what happens to it afterwards. Edit: I work for a large hospitality software company, those numbers go thru us before they get to the hotel.

GFischer8y ago

Very interesting:

https://partnerhelp.booking.com/hc/en-us/articles/213317965-...

When a guest makes a booking and is being charged on your behalf, you'll receive a virtual credit card from an external payment provider along with the booking details. This card gives you access to the exact amount, and you can charge it according to the charge date. Paid online will show in the Status column on the Extranet’s Reservations page, showing that the guest has been charged on your behalf.

sova8y ago

PayPal used to offer one-time use disposable CC numbers. The limit fixed at the right price is a good innovation. Thanks for sharing!

cjmoran8y ago

My bank (Bank of America) offers this feature, but it's a bit buried in the menus. Custom limits and everything, it's pretty useful.

But there are plenty of reasons not to do business with Bank of America. I'm no shill for them.

2 more replies

ezekg8y ago

For the curious, there's an API for that: https://www.marqeta.com/

kstenson8y ago

Does anyone know if there is a uk company that offers this service?

2 more replies

chatmasta8y ago

That’s actually very interesting. Thanks.

Do they do this via a partnership with MasterCard or something? Basically similar to prepaid cards?

boysabr38y ago

They should be using an issuing processor (a financial institution that works with Visa or MasterCard) to issue card numbers. Issuing processors can easily generate card numbers programmatically + on the fly.

1 more reply

hairyjewbear8y ago

I have picture proof this is false

elyrly8y ago

thanks for the insight

siquick8y ago

You should edit the context of this question based upon the answer from its_trivial : https://news.ycombinator.com/item?id=16103175

boysabr38y ago

I think you have the answer already and IANAL but just to add on, in most countries this a matter of PCI compliance that is enforced by the card networks. In most countries it's not a criminal offence to be PCI non-compliant (but you could be liable for civil suits and fines by the card schemes).

I imagine there's a clause in the PCI compliance rules that allows raw card numbers to be sent less securely if they are virtual + single use card numbers or maybe if the liability of fraud on those card numbers doesn't fall on the "original" card holders.

damm8y ago

If you want to know it's legal ask a lawyer.

Am I shocked? no... reminds me of ACH and the file format they use.

j / k navigate · click thread line to collapse