Recently, I was working on a project with a similar business model to hotel booking websites such as LateRooms.com and Booking.com:
The customer reserves a “room” from a third party. The customer pays at the hotel. Failure to show, results in customers card being charged.
I was intrigued about how the others got this process to work, and naturally went about finding out, and doing some research.
Despite me thinking there was some kind of repeated pre-auth happening on the customers credit card until day of booking, I was concerned, and almost horrified when I discovered how these sites handle the process.
This is what actually happens on the above mentioned sites (and others not listed)
- Customer makes booking on secure site. Reassured the way through that the site is using SSL encryption etc…
- Customer submits their credit card details, as security for the booking.
- Here’s the scary part:
The booking website then faxes the hotel details of your booking, along with your credit card number, address, CV2, and expiry date (all the details required to complete a card not present transaction)
How did I discover this?
By signing up as a hotel, and reading how their process worked!
Naturally, I was worried, so i emailed one of the sites, asking them to confirm how the process works as a customer.
Here’s part of their response:
When your booking is processed via *********.com, the information you supply is securely sent to your chosen hotel via fax. Several other companies use this same method of transfer however, we are looking at implementing a full digital system to transfer card information.
Not all hotels will receive the CVV/CV2 number from us unless they have confirmed that the property is fully PCI/DSS compliant. Any hotel that is not compliant with this does not receive the full card information. The CVV/CV2 number is sent on the first fax only (to compliant properties) and then is omitted from any further faxes and is not held on our systems.
Naturally, this got me thinking: What if fax machine was accessible by other staff? Nosey customers? Joe public?
I’ve stayed in several hotels (some scarily booked on websites such as this) who’s “back room” office I wouldn’t exactly class as secure.
The advantage of working like this for the booking site however is clear:
They don’t actually handle any money. Therefore, reducing their liability for chargebacks etc… They simply invoice the hotel for their commission.