FD Agent Apparently not Familiar with AAA Membership...
Nov 25, 2014, 7:08 am
#16
Original Poster
Join Date: Feb 2013
Location: DCA
Posts: 7,770
The fact that this hotel was supposedly able to take your full unencrypted CC info from a dummy reservation and apply it to your existing reservation is incredibly concerning. If I'm interpreting your description correctly, and this is actually what happened, then both this hotel and the Hilton website/reservation system in general are far out of compliance with PCI-DSS and PA-DSS standards. At no point should anyone, let alone a front line desk clerk at a local hotel, be able to access the full credit card information stored in Hilton's reservation system. Identifying information like the last-4 of the card number or expiration date can be accessible as a reference, but at no time should the full credit card details be so easily retrievable... which I'm assuming they were if this employee was able to "move" your card details from one res to another.
I'm not usually an alarmist about this kind of stuff, but this is a very serious security vulnerability if true, especially in light of the other ongoing HHonors account hacking saga that I still can't believe hasn't gotten more publicity (on FT or otherwise).
I'm not usually an alarmist about this kind of stuff, but this is a very serious security vulnerability if true, especially in light of the other ongoing HHonors account hacking saga that I still can't believe hasn't gotten more publicity (on FT or otherwise).
That said, I have trouble getting too worked up by people who handle physical credit cards all day being able to see...credit card information. Maybe I'm behind the times.
Nov 25, 2014, 1:37 pm
#17
Join Date: Jul 2012
Posts: 233
I'm surprised nobody else has commented on this part of your story yet...
The fact that this hotel was supposedly able to take your full unencrypted CC info from a dummy reservation and apply it to your existing reservation is incredibly concerning. If I'm interpreting your description correctly, and this is actually what happened, then both this hotel and the Hilton website/reservation system in general are far out of compliance with PCI-DSS and PA-DSS standards. At no point should anyone, let alone a front line desk clerk at a local hotel, be able to access the full credit card information stored in Hilton's reservation system. Identifying information like the last-4 of the card number or expiration date can be accessible as a reference, but at no time should the full credit card details be so easily retrievable... which I'm assuming they were if this employee was able to "move" your card details from one res to another.
I'm not usually an alarmist about this kind of stuff, but this is a very serious security vulnerability if true, especially in light of the other ongoing HHonors account hacking saga that I still can't believe hasn't gotten more publicity (on FT or otherwise).
The fact that this hotel was supposedly able to take your full unencrypted CC info from a dummy reservation and apply it to your existing reservation is incredibly concerning. If I'm interpreting your description correctly, and this is actually what happened, then both this hotel and the Hilton website/reservation system in general are far out of compliance with PCI-DSS and PA-DSS standards. At no point should anyone, let alone a front line desk clerk at a local hotel, be able to access the full credit card information stored in Hilton's reservation system. Identifying information like the last-4 of the card number or expiration date can be accessible as a reference, but at no time should the full credit card details be so easily retrievable... which I'm assuming they were if this employee was able to "move" your card details from one res to another.
I'm not usually an alarmist about this kind of stuff, but this is a very serious security vulnerability if true, especially in light of the other ongoing HHonors account hacking saga that I still can't believe hasn't gotten more publicity (on FT or otherwise).
If not, then they are indeed out of compliance.