We regularly hear from consumers who are concerned about the manner in which hotels are collecting credit card information from them, much of which is on paper via Credit Card Authorization forms and front-and-back card copies.
Here are some examples:
Question: I deal a lot with hotels and credit card authorization forms. Most of the hotels require a copy of the credit card in order to process the prepayment form. Usually they want it via fax. Under PCI Compliance standards, is this allowed? I’d prefer not to send this information to them, as the credit card number is already written on the form. Is there something I can say to them, that would prevent them from asking for a copy of the actual credit card?
Question: Do I have to supply copies of my credit card front and back and a copy of my drivers license to a hotel on a credit card authorization form if I am paying for a room.
Answer: Unfortunately, this is pretty common practice and there may be no way for you to get away with not sending the complete card for authorization purposes. Technically it falls on the hotel to secure this information once it’s in their possession. According to the PCI DSS, the hotel is not permitted to store your sensitive authentication data (including the CVV2 code on the back of your card) after authorization has taken place.
You are right to feel nervous about this, but for now I doubt there’s much that can be done aside from requesting that the hotel destroy any copies of your physical card once it has completed the authorization process.
Looking for information on payment security trends?
Check out ControlScan’s blog post, “Payment Security Trends to Watch in 2016.”