h6 is just a subdomain of hilton.com so not necessarily an issue per se

The text of the email itself is not unusual, the topic has been discussed in the past, the hotel cannot charge your card directly most likely because 2FA / 3DS authentication is required (makes me wonder though why it was not done at the time of booking ...), and it is not related to GDPR, rather PSD2, but not essential

In any case, as you have already been advised above, the best is to call the hotel and confirm with them