Hotel requesting credit card via email

leex

I called a hotel (in Ireland) yesterday to pre-pay an upcoming stay with credit card (booking was a gift for relative). They informed me that they had a new policy of not taking cards over the phone and would send me a form via email to add the booking details to.

I refused on the basis of this being a totally insecure method of sending that information. There are so many issues here including Data protection on the hotel side relating to the storage of the received card details.

I emailed them later to outline my concerns. They were totally in denial and ignorant to all of the risks. This will be the last business I will be doing with them, or any other hotel that handles my card details in such a careless fashion.

Is this becoming a common occurrence in other hotels?

SteM

But you're happy to give your card details to someone over the phone? What do you think they'll do with those details after you hang up the phone to them?

Tom Mann Centuria

All advice I've ever read is never send credit card/financial information via email.

leex

SteM wrote: »

But you're happy to give your card details to someone over the phone? What do you think they'll do with those details after you hang up the phone to them?

Totally different scenario.

Technically, in layman's terms, an email can be intercepted by anybody on the internet in between a person sending it and somebody receiving it. It would be even worse than sending a letter in the post to <insert country name> with your cc details printed on the outside of the envelope. Credit card numbers are 16 digits and easily recognizable through automatic scanning of the document.

The odds of issue are reduced significantly (but not totally) when you're dealing with a hotel employee on a 1 to 1 basis.

I would be interested in a bank's reply to a customer when investigating a fraudulent transaction if they were aware their customer sent credit card over email.

Meeeee79

Password protect the document with your chosen password, email to the hotel and then phone the hotel to tell them the password to open the document.

emeldc

Meeeee79 wrote: »

Password protect the document with your chosen password, email to the hotel and then phone the hotel to tell them the password to open the document.

Jeez, us old folk really need to get with the program here, I didn't know you could do that

davyboy1975

leex wrote: »

Totally different scenario.

Technically, in layman's terms, an email can be intercepted by anybody on the internet in between a person sending it and somebody receiving it. It would be even worse than sending a letter in the post to <insert country name> with your cc details printed on the outside of the envelope. Credit card numbers are 16 digits and easily recognizable through automatic scanning of the document.

The odds of issue are reduced significantly (but not totally) when you're dealing with a hotel employee on a 1 to 1 basis.

I would be interested in a bank's reply to a customer when investigating a fraudulent transaction if they were aware their customer sent credit card over email.

It would be no different to entering details on a website with regards to the bank.
In fact the bank would be less likely to give it back if you gave it over the phone as there is no security or proof of who you are giving it to.
If you are concerned about stuff like this then I wouldnt use a card to do anything tbh as info can be gotten anyway no matter where you use it

my3cents

davyboy1975 wrote: »

It would be no different to entering details on a website with regards to the bank.
In fact the bank would be less likely to give it back if you gave it over the phone as there is no security or proof of who you are giving it to.
If you are concerned about stuff like this then I wouldnt use a card to do anything tbh as info can be gotten anyway no matter where you use it

No it wouldn't. The website would be using a secure connection that is encrypted so only the website receiving it can read it. Email has no such security.

.......

This post has been deleted.

leex

davyboy1975 wrote: »

It would be no different to entering details on a website with regards to the bank.
In fact the bank would be less likely to give it back if you gave it over the phone as there is no security or proof of who you are giving it to.

Transactions over hotel booking websites are encrypted and the hotel or booking agent should never see the card details - it goes through a 3rd party payment company/bank.

davyboy1975 wrote: »

If you are concerned about stuff like this then I wouldnt use a card to do anything tbh as info can be gotten anyway no matter where you use it

I am not at all concerned at using my credit card over encrypted systems that have a much higher rate of security and regularly do so for world-wide travel and purchases on reputable merchant sites and have had no issues.

No system is 100% safe but the suggestion by a Hotel of using insecure email is amusing in 2017. I wouldn't have sent my CC details on email 10 years ago.

Neon_Lights

If I were you I'd tell them you'll pay them cash on arrival, you don't know if your booking info is protected. I'd also book through an aggregator like booking.com who would generally have more reputable security standards than a local hotel.

If you "need" to prepay, get a paysafe card or similar. Always look out for the PCI DSS symbol when entering your card details online.

davyboy1975

my3cents wrote: »

No it wouldn't. The website would be using a secure connection that is encrypted so only the website receiving it can read it. Email has no such security.

Info can be gotten still. My point is if the OP is bothered by stuff like that then dont use a card online as if you want to get the card details you will get them.
Andeven at that it is a million times more secure then giving it over the phone to some random guy which he was prepared to do

davyboy1975

....... wrote: »

This is totally untrue.

If you phone a hotel with on their listed number and speak with a staff member who gives you their name - then you know who you are speaking to.

Yes but do you know he will destroy your details after getting them? No you dont he couldeave them lying around so some one else could see them or he could use them himself. It is undoubtedly less secure then using email

Neon_Lights

I get similar qualms when you call a pizza place and they ask you for your card details. It gets my goat

jimmycrackcorm

emeldc wrote:

Jeez, us old folk really need to get with the program here, I didn't know you could do that

But at least your Nokia 3310 battery still lasts a week between charges

dil999

davyboy1975 wrote: »

Yes but do you know he will destroy your details after getting them? No you dont he couldeave them lying around so some one else could see them or he could use them himself. It is undoubtedly less secure then using email

The OP is quiet right. I would never send my card details via email. That email will sit in a folder on a common email and probably never be deleted. Numerous people will have access to it. It is very negligent of the Hotel to treat your credit card details like this. In most cases, when the details are taken over the phone, They are entered, there and then, into a third party payment system, and the hotel will have no further access to the details.

I would contact your card provider and inform them of this. I would also contact data protection, as the hotel is obviously storing unencrypted credit card details on their email system. That is a big no no.

leex

davyboy1975 wrote: »

Yes but do you know he will destroy your details after getting them? No you dont he couldeave them lying around so some one else could see them or he could use them himself. It is undoubtedly less secure then using email

Point taken and it is definitely true. One would hope that the identified hotel in question would employee honest staff and have a clear/secure process in place for cc transactions.

We're talking about varying levels of risk for the various payment options. A secure/encrypted website to take credit card information would be a lot safer than what was suggested.

.......

This post has been deleted.

leex

dil999 wrote: »

The OP is quiet right. I would never send my card details via email. That email will sit in a folder on a common email and probably never be deleted. Numerous people will have access to it. It is very negligent of the Hotel to treat your credit card details like this. In most cases, when the details are taken over the phone, They are entered, there and then, into a third party payment system, and the hotel will have no further access to the details.

I would contact your card provider and inform them of this. I would also contact data protection, as the hotel is obviously storing unencrypted credit card details on their email system. That is a big no no.

I had this discussion with them on email. Having over 20+ years professional experience in this area including PCI I knew what I was talking about. The reply I received proved they did not.

dil999

leex wrote: »

I had this discussion with them on email. Having over 20+ years professional experience in this area including PCI I knew what I was talking about. The reply I received proved they did not.

Tell them you are emailing the data protection commission office. and you will copy them on the email. Then do it. If they don't change their tune, they will after Data Protection contacts them.

Had an issue a few years ago with our mobile numbers being used for marketing purposes by a large retailer. Contacted data protection offices. Turns out we were not the only ones affected. The retailer got fined €50K, and we got all our data removed and an apology.

beechwood55

I have a Revolut card. Use that for all online transactions now. Just transfer the money to it before I make the purchase/booking etc.

Charles Babbage

dil999 wrote: »

Tell them you are emailing the data protection commission office. and you will copy them on the email. Then do it. If they don't change their tune, they will after Data Protection contacts them.

This.

Someone has to do it, as even this thread shows not everyone sees the difference here.

leex

beechwood55 wrote: »

I have a Revolut card. Use that for all online transactions now. Just transfer the money to it before I make the purchase/booking etc.

I have one also. There is the same risk here for your loaded funds. It is too bad that I'd have to repeatedly change the card number due to the negligence of a hotel or other vendor.

-=al=-

beechwood55 wrote: »

I have a Revolut card. Use that for all online transactions now. Just transfer the money to it before I make the purchase/booking etc.

I usually use this now since it only ever has whatever funds I need on it for purchases.

I'd never ever give card details in an email. That's a no brainier. I'd give them over the phone but wouldn't be too mad about it either but once again, if I'm slightly unsure about it I would use Revolut. I've no problems with online transactions if it's an encrypted secure server

beechwood55

leex wrote: »

I have one also. There is the same risk here for your loaded funds. It is too bad that I'd have to repeatedly change the card number due to the negligence of a hotel or other vendor.

No. I just transfer the amount needed just prior to doing the transaction. So no front loading of any money surplus to what is needed.

oliver29

leex wrote: »

I have one also. There is the same risk here for your loaded funds. It is too bad that I'd have to repeatedly change the card number due to the negligence of a hotel or other vendor.

In Revolut you can create a new virtual card and load only what you need ... can even switch if off until they're ready to use it.

Frequently hotels just want the CC to secure the booking, they don't even try using it until you get there.

The original point is valid, email isn't secure enough for this type of transaction.