Hotel keeping debit card details

[Heratnumber7]

We’re just back from a weekend away, and I’d like to gauge opinion on something before I write to the hotel management to complain.

We booked online, via booking.com I think (DH booked it).
When we checked into the hotel we were asked for our debit card so hotel could take a copy to use in the case we caused any damage in our room. We refused, but had to comply in the end because we couldn’t provide £50 cash deposit instead, and it was late so we were unlikely to find somewhere else (and we’d paid anyway).

Hotel assured us that copy of card would be locked in safe, and shredded after we’d left by “housekeeping”.

We said that wasn’t acceptable, and demanded the copy be returned to us when we left.

When we left and got the paper copy back we noticed that the hotel had also taken a note of our 3 digit security number on the same piece of paper AND they’d scanned our signatures from another form we’d signed for them to compare signatures to if we ordered at the bar, and pasted them alongside our card details.

I also now think that the whole piece of paper containing our details which was returned to us was a photocopy, which means hotel may still have a copy.

We’re very uncomfortable about the whole thing - we are vulnerable to fraud, and the two hotel employees who have access to the safe are also in a vulnerable position as customers could easily claim the card has been used to make purchases without their permission.

Has hotel broken the law? And should I complain? And if so, to whom?

Its normal practice but very dodgy and probably against their card processors rules.

You are not allowed to store peoples CVV numbers.

All uk hotels have to be pci compliant to accept cards, if this compliance is not adhered to they will lose the right to accept cards. The cc receipt that is kept by any business has the full card number on and has to be kept safe by law. That’s why the customer copy doesn’t show the entire number as this could easily be lost. So you are very safe

I work in a hotel.

There are data handling guidelines, which change depending on the number of staff at each organisation.

We were advised by booking.com to do exactly what this hotel has done (we don't).

You are not allowed to store peoples CVV numbers.

Exactly. Having the CVV number allows the charge to be processed as "card present", meaning that the physical card has been presented at the time of the transaction. It gets the merchant a small reduction in the processing fee as it's less risky for fraud than a transaction where the card is not present.

It is not standard practice in 2017.

You've done the right thing OP.

I'm not anymore but used to be in hotel management while at uni. Basically, what @Sayyouwill said (same system, too - it's an industry standard, pretty much).

And, yes, it's standard practice and legitimate for hotels to charge you for damages discovered after you've checked out. You wouldn't believe the stunts some guests will pull!

My most memorable incident was caught at check-out: we were fully booked and housekeeping went into the room as soon as they saw the thieves guests leave with their luggage. That's how I endes up with a call about the missing chair while they were still at reception. Security was called. A suitcase was opened, and a disassembled chair was found in said suitcase.

Did we charge them for it? You bet we did, cheeky fuckers!

Hereat the hotel is in the wrong.

They should never store and keep a copy of your 3 digit CCV number.

They could get fined for breaking PCI Standards.

I think you are right to complain/point this out to them. We take card payments where I work and are not allowed to write down card details under pain of death.

That’s what I think boardwalk.

I've had this. I informed my bank and cancelled my card.

Definitely going to complain.
Hotel actually wrote the card number, expiry date, CVV number on a piece of paper and scanned our signatures from another form onto paper with card details.
I’ll come back and let you know how I get on.

Hotel name and room number on key fob used to be normal practice in the 1960s (I remember them). But I would have thought that was a big no-no in today’s security conscious world. What if we’d lost the key!

I used to manage a hotel. This is standard. I’m sure you’re trustworthy but you have no idea how much others abuse their room and “goodwill credit” eg expecting people to pay for room/minibar/ phone etc on departure. We also used to keep records for 2 years post check out

I work in retail IT, dealing with customer data.

We only ever store customer data in an encrypted fashion. This is what the hotel should be doing. Storing it in systems where no staff get to see full card details.

We would never advocate writing down details, especially details that could be used to process a transaction without the customer present, e.g. The CV2 code.

I would feel very uneasy about this and would be complaining to the ICO.

www.gov.uk/data-protection/make-a-complaint

Kitkat keeping handwritten copies of card numbers, cvv numbers, expiry dates and signatures is definitely not standard.* I stay in hotels regularly for work trips, and I’ve never had this before.*
Electronic records, yes.* But handwritten, no. As other posters have said, it’s breaking the law.*

I'm re-reading now. I've assumed the hotel wrote down the card details where you said 'copied'...?

Im a hotel manager of a large branded property. Credit cards should be inputted directly onto the CRS system so encypted.

Other slightly outdateed practise is preauthorisation forms which allow for example companies to pay on behalf of a guest bit the form is completed by them not us and is a dying practise.

There's a large difference between how a branf operates and a mom and pop organisation. There's alot of things i would let off with independant business but correct card handling isnt one of them. They should know better.

Cross post

Nope, they shouldn't be writing those details down. At all. No matter ow long they intend to store the data.

I used to stay in various different chain hotels for work, in London and other large cities (to 2016). I have never had a credit card and generally refuse to give my debit card details for a work trip (booked and pre-paid through an agent). This has rarely been a problem.

I have no problem with a hotel taking a swipe of my card as a pre-auth for extras or even as a deposit (although can't recall being asked for the latter).

But writing my card details down, with the CV2 code?

Not a chance in hell.

Can I just ask... if you have stayed in hotels before why were you so shocked they asked for your card to guarantee the room on check in? You said that you tried to refuse this but this element of your complain happens in every hotel

Standard practice to preauthorise via the chip and pin machine which I assume has certain security standards attached to it, even if clever hackers can get through from time to time.

NOT standard practice, and I suspect a breach of payment services regulations, and data protection law,, to take a photocopy of the card and write lots of insecure information on it. Yes I would complain. The laws are changing in January 2018 (as well as GDPR from May) and they really do need to look at their practices around data security.

I did once refuse to provide my card. I'd paid upfront for the room, breakfast was included, and it was a work Xmas party (but I'd paid for the overnight accommodation myself). I said I'd already paid, there was no way I was going to incur more costs and they weren't having my card. I didn't realise they did it because of damage, I thought they did it in case you did a moonlight flit and didn't pay for the room, which I already had. Anyway, they didn't insist.

Just for the record, you are allowed to have paperwork with card details on. Just not the CVC. They must be securely locked up with only those who need the information who have access. In a locked filing cabinet for example until the details are no longer needed then it must be disposed of correctly. We use the method I outlined below.