Can You Trust a Hotel with Your Credit Card?

The short answer: No, you really cannot trust a hotel to keep your private information private. And no matter what, do not use debit card at a hotel, ever, at least not if it is a US issued card.

The reason: Hotel data breaches involving guest credit/debit card information just keep multiplying.  Most recently, a small chain of luxury hotels owned by US tycoon Donald Trump apparently has fallen victim, according to reporting by security blogger Brian Krebs.

Krebs added: “sources in the financial industry say they have little doubt that Trump properties in several U.S. locations — including Chicago, Honolulu, Las Vegas, Los Angeles, Miami, and New York — are dealing with a card breach that appears to extend back to at least February 2015.”

Note: that means the breach lasted at least four months and, importantly, it seems to have been discovered not by the victim organization but by bank security who hunt for patterns in card fraud – what do point-of-sale compromised cards have in common? – and have become exceptionally good at pinpointing where a breach occurred.

A lot of breaches are happening at hotels.  In March, luxury chain Mandarin Oriental acknowledged it had been breached and customer credit card info stolen.

In April, a hotel management company named White Lodging – which runs hundreds of hotels in the US – acknowledged it had been breached. This was the second breach in as many years for White Lodging. .

In May Hard Rock, an international hotel operator, said it had been breached.

None of this is new. Five years ago, Destination Hotels, another management company, indicated it had been breached.

The scarier news: probably there are many breaches that never make headlines and may in fact never be detected by the victim organization. When lots of cards are compromised, bank security has data to trace a source. When the numbers are smaller, forget about it.  That is why many security experts believe there have been numerous unreported and undetected breaches at small hotels.

Why so much criminal interest in hotels?  Look at where the breaches tend to occur: at luxury hotels.  If a guest can spend $400/night for a hotel room, that guest’s credit card is probably good for $5000 or $10,000 or even more in fraudulent charges.  That makes these cards highly valued by crooks.

Hotels, security experts said, frequently have lax security and that is another reason professional hacker organizations appear to be targeting them. Some large chains are believed to have invested in keeping credit card info secure – but many others are known to pinch pennies when it comes to non-visible features and back-office credit card security is about as invisible to guests as it gets.

Expectations are that more hotel breaches will hit the headlines, certainly in the run-up to the EMV liability shift in the US in October, when the value to crooks of many credit card numbers will tumble.  Crooks seem to be mining as many card numbers as they can lay hands on now.

A loud word of advice: Never use a debit card at a hotel.  United States law – and similar laws in many other countries – make a credit card holder exempt from fraud committed on his/her account. The procedures are straightforward and, in most cases, a victim won’t be liable for even a dime of the fraudulent use.

Debit cards, at least in the US, do not have such tough protections.  With a debit card, your maximum loss is $50 – if you notify the issuer within two days of learning about the loss. If you report after two days but before 60 days, liability is capped at $500. After 60 days, your loss is unlimited.

It gets worse. With a debit card, money is literally withdrawn from an associated bank account when a crook uses it – and getting it restored does not happen in an eye blink. Days can pass, maybe a week, and that means car payments may bounce, ditto for home payments, and ATM machines may deny a victim cash withdrawals.

Yes, it probably will get sorted. Probably.

But better advice is: Don’t use debit cards at high risk establishments, and that definitely means hotels.

And always monitor use on any credit or debit card used at a hotel because it just may have been compromised.