The service claims that it “safely transmits information”, but if desired, hotel staff can use CVC-codes.
On July 23, the “Pikabu” paid attention to the fact that the site for booking hotels Booking.com requires full information about the bank card, including CVC-code. Similar complaints have appeared before, as users are concerned that the information will reach unknown hoteliers.
we figured out how secure the bank data is when working with Booking.com and whether it is possible to not share the secret code with the hotel.
Booking.com not only requests CVC code, but also sends it to hotels
As explained by “Peekaboo” during settlement to the hotel in Malaysia, he saw at the reception the paper with printed data of his credit card. According to him, he did not transfer this information to employees and indicated it only on the website of Booking.com .
Usually the hotel requests the full card details from the service to debit the money for booking in advance or after the client’s departure, as well as when canceling the order. However, the user Oyshoboy suspected that the hotel staff could later use the data to steal money from his account.
Using this information, the hotel administrator wrote down the money from the card to pay for the reservation. I did not even enter a PINCODE! It turns out that the booking merges the confidential data of the cards to all who do not get to, and with the help of these data it is possible to conduct operations without the demand of the cardholder.
In 2013, Facebook user Paul Antony (Paul Antony) told about a similar case in a hotel in Malaysia. Since 2012, similar claims have been received from both Russian and English clients. In 2013, “Banks.ru” reported that Booking.com stopped requesting its customers for CVC-code in most cases , but the service is still not responsible for the unlawful actions of hotel employees.
The reservation system specialist in 2012 told that faxes with customer data are sent to hotels “for security reasons” so as not to use e-mail.
The fact is that the same Booking.com does not charge money for the number from your bank card, but simply transfers the data to the hotel, which itself gives the command to the cash transaction. And if suddenly your money was withdrawn from the card, then any transfer of funds can be easily protested by contacting the hotel. This practice has long been established in the West.
In Booking.com they say that everything is safe. But they do not explain how to carry out transactions without CVC codes
The reservation system specialist told that the hotels are working with a billing system through a closed system Extranet. From the system to the hotel by fax comes information with the data of the bank card, but without the CVC code and the last four digits. This information is transmitted through the Extranet, which is stored no more than three days.
At the same time, hotels may refuse to receive CVC codes altogether , if they do not need them for banking transactions. Also, the service does not require secret codes from American Express card holders and reminds customers that “by asking guests for a code, you can reduce the number of bookings . “
Booking.com did not answer question about why not all hotels request CVC codes and how they conduct bank transactions. The service representative only confirmed that the customer data is stored in the service for Extranet partners with two-factor authentication. However, compliance with security rules “remains the responsibility of the accommodation facilities” : that is, if a hotel employee can obtain your CVC code.
All partners of Booking.com agree to our terms and conditions, which require that the objects of accommodation comply with certain data processing procedures for the protection of customers, effectively and responsibly managing their business.
In those rare cases when we receive reports of inappropriate actions by partners, we, as in this case, immediately carry out an investigation.
In the Booking.com agreement for partners it is stipulated that hotels can indeed request bank data and CVC codes of customers . However, there are several limitations:
- Hotels can request bank data no more than three times and no more than 10 days after the client’s statement;
- Request can send only verified hotels that have been checked by Booking.com;
- The browser on the hotel computer must be updated to the latest version to support the work with the Extranet service.
How to keep your data safe
In February 2018, the “Tinkoff Journal” told how you can secure your bank data when working with bookings.
- Use hotels that do not require a bank card and agree to bank transfer or payment through services like Qiwi;
- Create a separate bank card for booking hotels, paying for tickets or subscribing for services, where to store only a portion of personal funds;
- Personally negotiate with the hotel owner for payment in cash without prior freezing of money.