Um... but if the malware is where the PMS software is, the credit card is swiped and passed onto the software usually unencrypted unfortunately. It's worse when the PMS software is hosted (like Micros Opera in the cloud which a lot of Hyatts + other chains have... and I manage).

It's funny because even PMS installers will refuse to store CC #s at any property because they know how insecure most systems are from top to bottom.

Chip and Sig/PIN is supposed to change that (with one time auth tokens) but the tech to deploy it isn't easy and very immature to deploy it on any scale (and Oracle is making a mess with Micros which doesn't help things in terms of interfaces).

Still not too happy that Hyatt is not making the investigation any more transparent.