Equifax, 143 Million
Lest we forget.
US hotel chain Marriott has admitted that a breach of its Starwood subsidiary's guest reservation network has exposed the entire database – all 500 million guest bookings over four years, making this one of the biggest hacks of an individual org ever. "On September 8, 2018, Marriott received an alert from an internal security …
This put a few thoughts in my head. I've done PCI in the restaurant industry, and credit card numbers never need to be stored there. But, do I understand correctly that hotels keep numbers on file for ongoing charges and a hedge against guests who might take off without paying? That's a major challenge. Maybe what's needed is a token issued at the time of check-in against the guest's credit card that can only be used by that particular hotel. That way the hotel can deal with ongoing charges without storing a card number that could potentially be used by anybody. But, given the time it took to get chips in the states, I imagine this won't happen over night.
Revolut do disposable virtual debit cards with a premium subscription. £7 pm I think.
Probably similar banks do as well.
They've also got a location based security, do / don't allow contactless or internet purchase and freeze card options with their standard service.
I do remember seeing Barclays advertising at least the freeze card option.
So called 'challenger' banks are probably more likely to offer these features than the big boys as a differentiator.
Personally I started using Revolut because it allows me to do commission free foreign transfers at the interbank rate but YMMV.
Well Mariott use The Opera property management system which is now owned by Oracle.
They were also one of the first to sign up to using it in the Oracle Cloud. Therefore there should not be a customer database that would locally be accessible to anyone.
The Opera system can also utilise the Oracle Payment Interface (OPI). This does allow modern fully tokenised credit card support, however this has only been available for a short time and would not be the default with this service.
Opera also has a number of APIs that allow you to retrieve and download customer data and can download CC data that isn't tokenised.
So maybe they were polling the data down from the cloud into a separate db, maybe their web service was copying the data to an internal db when it was making the booking.
Marriott have said "We also do a lot of research on transactional data to understand the value of getting an additional point of conversion through a new medium and what helps to drive that conversion. Based on what the data shows us and what customers are telling us, we try to marry the two together to reach informed decisions about the business."
So it would seem they like to pull data into a centralised analytics system of some kind.
Hopefully it won't be Oracle's cloud which has had issues!
> Maybe what's needed is a token issued at the time of check-in against the guest's credit card that can only be used by that particular hotel.
Just like the APIs that most card processors provide, and have done for years?
When that ecommerce site offers to save your payment details, this is what should be used. There is no need to hold details (beyond a few masked digits so customers can recognise which card has been saved).
(Might be all card processors for all I know, certainly the APIs I've used all have this option.)
"Just like the APIs that most card processors provide, and have done for years?"
There's a little bit more to it than that. Fine if you are just creating an e-commerce website but dealing with a full fat property management system that is interlinked with multiple third party system, then the payment service provider is just a small chink in the chain. There are multiple factors involved with running full tokenisation, including the requirement for a hotel's special allowance to do long term deposits, card authorisations and end-of-day re-authorisations (once again across multiple systems from different suppliers).
SO the API that allowed it for Opera (which Marriott uses AFAIK) has only become properly available in proper way since the Oracle Payment Interface and API became available to use this year. Even then it only works with a PSP and that supports it, and they in turn have to support your PED and both of them have to support your Acquirer, which also have to support your bank. If you have legacy suppliers it gets a bit harder.
If it started in 2014. I doubt its Oracle Cloud as it didn't exist for Hospitality nor Opera which is Java and Opera Cloud v1 isn't widespread in general except for the fleet and test-beds, plus the acquisition was a couple of years later. It sounds to me like its loyalty related, though I'm not familiar with their architecture other than common knowledge.
1. Not all hotels have Opera cloudy servers. Some are still physically at the hotel.
2. It's quite possible that they breached "Valhalla", their back-end reservations database. This is probably why it is limited to Starwood hotels and not the whole group, as Marriott use a different system.
That's exactly why innovative startups succeed in all industries...a defence of the status quo as opposed to a drive for positive improvement.
You can change and improve if you want to.
You can have multiple accounts so you can do an orderly transition...heck acquirers will give you a temp account to help with the transition...you just have to ask for one.
My key problem with REvolut is this:
3.4. When we hold Electronic Money for you, us holding the funds corresponding to the Electronic Money is not the same as a Bank holding money for you in that: […] © your Electronic Money is not covered by the Financial Services Compensation Scheme.
I've done the opposite before, flag that the card is going out of the UK.
It must be 10 years ago that I visited Chile. After a couple of days tried to use my debit card to withdraw cash - nope! Seconds later got a text from the bank telling me about it and saying to reply to unblock.
Had similar texts (but not blocks) when I used Lloyds CC to order stuff directly from a shop in Santiago. "Was this you? If not phone...."
But yes, why does anyone need to store CC numbers once the transaction has been verified - or even before if you use a portal like Paypal?
What you want is something like a kerberos ticket: a token which proves you've seen the card and which gives you some rights (like taking money from the card up to some limit) for a finite time, beyon which it becomes valueless.
From other replies it looks as if these do exist?
If it started in 2014. I doubt its Oracle Cloud as it didn't exist for Hospitality ....
But what about the acquired businesses that Oracle borged? In particular, Micros, who were an EPOS and hospitality specialist, and themselves a product of the horrible "snowball acquisition" model that afflict ERP and EPOS vendors.
Actually there is a product you can get for online purchases.
The other thing that there is a company that tokenizes the CC details so that companies like Marriot doesn't store the CC # and stuff.
There's more, but the real problem is that we have the Mongol horde of programmers who really don't know what they are doing behind the scenes. (Or you could use Vandals too ... )
>But yes, why does anyone need to store CC numbers once the transaction has been verified
Hotels get a special PCI exemption (like car rental), otherwise they would need your card when you book to take a deposit, you queue again at checkin to pay, then you queue at checkout to pay for any other charges.
People don't like queuing and the majority of hotels in the USA are booked on business trips so nobody cares if the card is ripped off
After working in banking for four years and moved on from that horror show, I can confirm that nearly every major bank does have this feature
. Pretty much depending on who you bank with will determine which department you contact. I know that during banking hours 9am - 5pm ish you can speak to debit card fraud prevention and they will be able to add this feature, however depending on the agent you get will depend on whether or not they implement it. I know that's not the most useful answer but its pretty accurate.
Thanks for the feedback - I've now received my email, to the correct address, but the website still claims that my email is invalid.
I've spoken to a very nice man on the helpline who admitted that he's only there to handle to calls, he has nothing more he can do for me apart from pass it on to tech support.
It’s hefty and you’ll need a couple of reams of paper.
To save you the trouble. In my opinion we need a global legal API (!?) framework.
If you know your PCI and loyalty there’s big gaps continent wise and there also needs to be a discussion about geo-location silo-ing, escrow, times expiry and mega-data policy. #whatsyourvectorvictor
Tweet the G20, that's what you're here for. Not a new standard either. China and Africa are mag-stripe and the states are somewhere in between. If you've travelled through the middle with foreign cards, it's a lottery whether, POS, ATM or ePOS works anyway. This is why I moan about banking etc... #quellesurprise #enthalpyoscillation
Biting the hand that feeds IT © 1998–2018