Ask HN: Booking.com sends raw CC data to Hotels. Is it legal?
A friend of mine has a hotel and hostel and is partner with booking.com. He received 100s of CC raw data each day.
There is no protection whatsoever. Booking doesn't manage payments on their own, they send the data clean-text directly to the hotel owner to process them using their own POS.
Is it legal? this is Masive. they send raw credit card numbers, they dont send YOUR credit card number. They create a disposable credit card number, which they send down to the hotel, linked to your credit card. Its like a token in the form of a different credit card number. The hotel doesnt know the difference and the disposable credit card number has a fixed limit which is what you paid for your room. After that it is discarded, I dont know what happens to it afterwards.
Edit: I work for a large hospitality software company, those numbers go thru us before they get to the hotel. Very interesting: https://partnerhelp.booking.com/hc/en-us/articles/213317965-... When a guest makes a booking and is being charged on your behalf, you'll receive a virtual credit card from an external payment provider along with the booking details. This card gives you access to the exact amount, and you can charge it according to the charge date. Paid online will show in the Status column on the Extranet’s Reservations page, showing that the guest has been charged on your behalf. PayPal used to offer one-time use disposable CC numbers. The limit fixed at the right price is a good innovation. Thanks for sharing! My bank (Bank of America) offers this feature, but it's a bit buried in the menus. Custom limits and everything, it's pretty useful. But there are plenty of reasons not to do business with Bank of America. I'm no shill for them. Thanks, I'm with BoA and didn't know about the feature (it's called ShopSafe, for others). I like privacy.com for this purpose - works well plus it can anonymize transactions to make them opaque to the bank. I love privacy.com - I can kill the debit cards I generate and use with specific merchants when they have been exploited. Cool to know the feature exists somewhere. With the tidal wave of cryptocurrencies I'm optimistic that traditional banks will be forced to improve their customer relations, access, and transparency. For the curious, there's an API for that: https://www.marqeta.com/ Does anyone know if there is a uk company that offers this service? I think this is what https://www.wavecrest.gi/ does. But haven't heard great things about them. Shift payments is another option in the US - don't think they're in the UK either. iirc checkout enett. That’s actually very interesting. Thanks. Do they do this via a partnership with MasterCard or something? Basically similar to prepaid cards? They should be using an issuing processor (a financial institution that works with Visa or MasterCard) to issue card numbers. Issuing processors can easily generate card numbers programmatically + on the fly. Thanks for the info. I haven’t heard the term issuing processor before. I have picture proof this is false thanks for the insight You should edit the context of this question based upon the answer from its_trivial : https://news.ycombinator.com/item?id=16103175 I think you have the answer already and IANAL but just to add on, in most countries this a matter of PCI compliance that is enforced by the card networks. In most countries it's not a criminal offence to be PCI non-compliant (but you could be liable for civil suits and fines by the card schemes). I imagine there's a clause in the PCI compliance rules that allows raw card numbers to be sent less securely if they are virtual + single use card numbers or maybe if the liability of fraud on those card numbers doesn't fall on the "original" card holders. If you want to know it's legal ask a lawyer. Am I shocked? no... reminds me of ACH and the file format they use.