We recently travelled as independent visitors to the island of Boa Vista in the Cape Verdean archipelago last week, staying at the RIU Karamboa hotel near the main town of Sal Rei, booking direct via the RIU website and paid in advance by credit card.
At Check In
Arriving from Sal, we packed light and other than passports, enough cash and one debit card for possible ATM withdrawals, all other valuables were left in our room safe on the other island.
Upon checkin, it became quite obvious that I was in default of hotel policy and procedure as I could not present the credit card I had used to pay for the accommodation. Apparently there was something in the small print that I had missed, stating that albeit paid in full in advance and charges debited to my credit card, they still needed a copy for file.
The Retailer Chargeback Risk
Surreal perhaps, but understanding credit card fraud and inherent chargeback risks that retailers are exposed to from online orders, I could appreciate the policy. That said, I could not help but wonder why, being I was physically in resort, the money had been previously debited and they have my signature that could validated on my debit card and my passport photo ID (which they had already copied), why they still needed a copy of my credit card?
Appreciating I did not have the credit card I used to pay for our stay and it was a Sunday, we were told we could stay the evening and that Reception would contact me on the Monday, obtaining further instruction from Head Office.
A note was placed under our door that Monday evening, asking me to go to reception. I was given instruction that they would accept an email copy of the card. This I thought was acceptable as I could ask my son (who was still on Sal), to open the safe, photograph the card and email it to me via our family safe file encryption system.
The next day I popped back to reception with a copy of the card on my iPhone. However, it was not acceptable. Even though the receptionist could see the card photograph and card number, the he still wanted a physical copy.
Handing him my iPhone with the photo displayed, he went to the office to take a copy. This is when issues started to unravel in that the copier could not print the photo on the iPhone. For whatever reason, it kept coming out black.
Sending Credit Card Details Via Email
Puzzled and perplexed, the guy asked me to send the photograph via email to the hotel’s reception firstname.lastname@example.org inbox and this is when I started to worry.
“I’m sorry” I said. “There is no way I am going to email you my credit card details through the public Internet email system, to an inbox that any receptionist can read. This would be in breach of my own personal data protection principles and probably in breach of banking Terms and Conditions too. If you insist, then I would need to immediately telephone my bank and report the card as lost and have it cancelled.”
Of course, this would mandate the card copy would be of no use as payment security to the hotel as it would therefore be cancelled. So we’re in a bit of an impasse.
Then I had an idea. I could send an email from my Protonmail.Com account, where I can encrypt the email with a pre-shared password for the recipient to open the email and add a 24 hour ‘destruct’ time limit, that would delete the email from the Protonmail system. Having agreed the password, I sent the email which arrived in a few moments while I was standing at the desk.
Protonmail does not work as conventional email, in that the email received simply includes a hyperlink to the Protonmail website system where the email is read in a webmail format in your web browser. Unless both sender and recipient have some SMIME or PGP/GPG shared key encryption system, Protonmail is an ideal solution to send encrypted communications and files.
The RIU Internet Security System
However and guess what? The RIU’s own Internet Security policy will not allow connection to the Protonmail system!
Smiling, I said to the guy that I find it strange that he wants me to send him a plain text email with my private credit card details which is a breach of my own Internet security and personal data protection policy, but the RIU web security blocks the Protonmail website.
We’re in a position therefore where we are both wanting to help each other, but corporate and personal policies are in conflict.
I asked why he or a manager couldn’t just override the system to show that someone has seen the credit card photo, my photo ID passport and debit card signature? He answered that he was just doing his job and following hotel policy.
A Horrific Breach of Data Privacy
That’s when I was horrified! To show me what he needed, the receptionist then pulled a ring binder file from under the counter and there was my reservation form. Unlike others, my credit card was not attached as a copy.
Flicking through the file, he was showing me other guests booking forms and copied credit cards, trying to demonstrate the hotel policy that all non package holiday guests must present their payment card which must be photocopied and attached to the reservation form. I could plainly see that all other registration forms had a copy of the payment card, in some instances *both* the front and back, including name on card, card number, expiry date and the three digit security code on the reverse!
As a previous online business owner in the UK, we needed to adhere to strict credit card processing and PCI compliance for online and telephone orders. Holding such full credit card details in a ring binder file that anyone could read would be in breach.
“Wow!” I explained to the guy. “Are you saying you would copy the front and back of my card? From my reservation form, you have my home address. From my passport, you have my date of birth. Anyone who has access to that ring binder could take my card details and initiate a fraudulent transaction! That’s crazy! You are perpetuating the root cause of why there is so much credit card fraud in the first place. I am no longer happy and will not give you my card details.”
You Need To Be Worried And Savvy
I’m quite savvy when it comes to this sort of thing, but this experience has left me more worried about how companies use and store your personal data. I think it’s time to question why hotels demand this data and more importantly, how they store and destroy it?
I also get what the recent media is writing about the Cambridge Analytica and Facebook fiasco, Amazon Eco and the likes harvesting data, but I also find it quite terrifying how easy we will pass other sensitive data around so openly and willingly!