by Mark Mullis
Since we last reported about the prevalence of data breaches in the hotel industry over a year ago, we’re continuing to see more attacks. Many major hotel chains have been subject to some sort of hacking or payment data theft.
The most recent examples include:
- Hackers accessed a guest reservation database over a period of four years, gaining access to passport numbers, dates of birth, and even some payment card numbers and expiration dates of up to 500 million guests.
- A rewards database was hacked, compromising the data of an undisclosed number of guests.
- Another chain was victim to a data breach affecting 130 million customers, with login credentials, credit card numbers, and other sensitive information exposed.
Continued data breaches and fraudulent activity has less to do with negligence on the part of hotels and travel companies and more to do with the inherent vulnerability present in traditional payment methods, such as credit cards. Changing the way payments are made will counter such attacks and data breaches in the future and limit the impact on consumers.
Virtual Card Numbers (VCNs), or virtual payments, are emerging as a top solution to protect against payment fraud should a data breach occur. When combined with the merchant model of payment, travel companies and hotels can better protect their customers’ data and their own reputations.
Here’s how it works: When travel companies book hotels for their customers, they don’t pass along the customer’s payment data to the hotel. Instead, they generate a VCN to pay the hotel from their own account.
How is this more secure? Since hotels have become a major target for data thieves, it only makes sense to provide hotels with the most secure type of payment. VCNs are a payment system that is easy to use for travel companies, easy to accept for hotels, and provides a number of protections against the type of fraud prevalent in the hotel industry.
The added protections of VCNs include:
Unique card numbers set up for a single use
Each hotel booking uses a card number generated for that booking alone. So even if the card number falls into the wrong hands it is of little use once processed by the hotel.
Specified start and end dates
A start and end date can be set up to designate exactly when the number can be charged.
A maximum amount can be set for the VCN, based on the amount expected for the hotel stay. Any amount over the specified maximum will be denied.
Merchant category code (MCC) restrictions
When a travel company is generating a VCN to pay a hotel, they can specify the exact merchant category code, preventing any “merchant” that is not a hotel from making the charge.
Ability to remove unused funds
If the transaction amount used for the VCN is below the spend limit, the unused funds can be removed from the card.
Chargebacks for fraudulent transactions
In the unlikely event the number is used fraudulently, chargebacks can be raised to recover funds lost.
VCNs protect travel companies from having their own data compromised when passed through to hotels. But more importantly, customers using those travel companies have the peace of mind that their data is safe. Every passing month proves that hackers can and will access systems that they know to be vulnerable. They are also opportunists who will go after systems that are easy and that provide the most lucrative payoff. Companies who think beyond traditional payment methods and processes, and who make payment data less valuable to fraudsters, will best be able to protect their business and customers from the impact of data breaches and payment fraud.