News

Actions

Don’t Waste Your Money: Are you staying at a hacker-friendly hotel?

Posted

As the travel season heats up, Consumer Reports cautions that some popular hotel and motel chains could be vulnerable to hackers because of weak security systems.

The major credit-card companies require businesses to have standard data protections if they want to accept credit and debit cards. It’s called being PCI compliant. But Consumer Reports found that a number of hotels may not be.

At a Super 8 motel in New York, the manager said he “had not heard” about PCI compliance. An assistant general manager at a Red Lion in California also said, “I never heard of this.” Similarly, a manager at an America’s Best Value in Washington state said, “I have no idea” about PCI compliance.

In the past, hackers have taken advantage of weak security at hotels. For instance, there were three documented data breaches at properties of Wyndham Worldwide several years ago. According to a complaint by the Federal Trade Commission, “security failures” at Wyndham Worldwide led to more than $10 million in unauthorized charges.

Wyndham Worldwide and its subsidiaries have many brands, including the Super 8 chain. A Wyndham spokesman told Consumer Reports that each Super 8 is “independently owned and operated” and is “separately required to be PCI compliant.” However, a spokesperson for Super 8 owners disagrees, saying, “Wyndham is responsible for PCI compliance.”

So how can you find out whether the hotel you’re considering has the kind of security that credit-card companies require? Consumer Reports says that there is no substitute for doing your own research. Call any hotel or motel you are considering and ask whether they are PCI compliant.

Consumer Reports also says it’s worth checking a website called Privacy Atlas that tracks security standards at 39,000 hotels in the U.S.

If you have any doubt about the data security of the hotel you have chosen, Consumer Reports advises using your credit card to pay and not your debit card. Credit cards have much better protection in case of fraud.