A friend of mine has a hotel and hostel and is partner with booking.com. He received 100s of CC raw data each day.<p>There is no protection whatsoever. Booking doesn't manage payments on their own, they send the data clean-text directly to the hotel owner to process them using their own POS.<p>Is it legal? this is Masive.
they send raw credit card numbers, they dont send YOUR credit card number. They create a disposable credit card number, which they send down to the hotel, linked to your credit card. Its like a token in the form of a different credit card number. The hotel doesnt know the difference and the disposable credit card number has a fixed limit which is what you paid for your room. After that it is discarded, I dont know what happens to it afterwards.
Edit: I work for a large hospitality software company, those numbers go thru us before they get to the hotel.
You should edit the context of this question based upon the answer from its_trivial : <a href="https://news.ycombinator.com/item?id=16103175" rel="nofollow">https://news.ycombinator.com/item?id=16103175</a>
I think you have the answer already and IANAL but just to add on, in most countries this a matter of PCI compliance that is enforced by the card networks. In most countries it's not a criminal offence to be PCI non-compliant (but you could be liable for civil suits and fines by the card schemes).<p>I imagine there's a clause in the PCI compliance rules that allows raw card numbers to be sent less securely if they are virtual + single use card numbers or maybe if the liability of fraud on those card numbers doesn't fall on the "original" card holders.