Lifehacker recently posted something from ConsumerReports where an author suggested asking a hotel manager for their [PCI DSS] Attestation of Compliance. Asking someone for an AoC is en exercise in futility. There is one piece of advice that is good (use credit not debit), but the constructs of asking for an AoC is really not good advice. There are a number of reasons for this.
- Many hotels with your favorite brands are actually smaller properties owned and operated by individual owners. Even if they have an AoC, it’s probably done from the perspective of a Self Assessment Questionnaire which does not require a third party to review.
- I promise you that the vast majority of front desk clerks and managers will have no idea what you are asking for, especially if you don’t clarify that this is for PCI DSS compliance.
- Most credit cards carry zero liability, but not all cards or banks are equal. If you have a zero liability card, it means that it doesn’t really matter if your card is stolen as long as you are watching your charges.
To extend the last bullet in the article, you should ALWAYS use a credit card over a debit card, no matter what documentation is provided. The liability is probably different (and less liability personally to you with a credit card), if you use a debit and they run it with your PIN there is a chance it could be captured and used later to drain your account, and hotels pre-auth a larger amount of money and reduce your available cash balance if you decide to trash your room. ALWAYS SIGN! Never PIN (this does not work with EMV cards in many of the world’s economies). If your debit card starts with a 4, 5, 3, or 60, it probably works as a credit card.
Don’t forget, debit is typically tied to a checking account. If someone snags your card and PIN, they can remove cash which may take a couple of days to get put back.
My guess is that the author is not in the industry but did some research that lead him down a rabbit hole of propaganda. Please, for the sake of making everyone’s hotel check-in experience go smoothly, don’t be that guy.
Possibly Related Posts:
- Ten Things Companies Get Wrong About CIAM
- Protect Yourself and Freeze Your Credit
- PCI DSS 4.0 Released plus BOOK DETAILS!
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug