<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt">Loophole that is found.<br><br>If each local hotel gains their own merchant ID, processes the transaction through a payment gateway that is not the corporate headquarters, then their level will be determined on that merchant ID, not the aggregate of all the hotels.<br><br>If each hotel processes through corporate headquarters (now becomes the gateway) to the payment gateway, then the aggregate of all hotels would be combined into one. <br><br>I have seen where each location was forced to get their own merchant ID and payment gateway to keep the transactions down, thus keeping the cost of audits down.<br><div> </div>James Ritchie<br>http://www.linkedin.com/pub/1/b89/433<br><br><div><br></div><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br><div
style="font-family: arial,helvetica,sans-serif; font-size: 13px;">----- Original Message ----<br>From: "Harris, Michael C." <HarrisMC@health.missouri.edu><br>To: dataloss@attrition.org<br>Cc: macwheel99@wowway.com<br>Sent: Tuesday, August 26, 2008 2:41:57 PM<br>Subject: Re: [Dataloss] Best Western Response<br><br>
There is something missing here, that doesn't true out with the<br>expectations in the PCI standard for a level one payer. Smaller mom and<br>pop level four establishment may slip by, but the mandatory audits of<br>level one folks should be forcing some change across the hospitality<br>industry... Perhaps slowly. It should have been identified as an audit<br>point with a remediation plan in the quarterly or yearly PCI audit.<br><br>So who was the last quarterly PCI auditor for Best Western? Is PCI that<br>broken or ignored?<br><br><br>Level One 6,000,000 transactions per year<br>Annual On-site PCI Data Security Assessment and Quarterly Network Scan <br>Qualified Security Assessor or Internal Audit if signed by Officer of<br>the company Approved Scanning Vendor<br><br>Level Two 1,000,000 to 6,000,000 transactions<br>Annual On-site PCI Data Security Assessment and Quarterly Network Scan <br>Merchant Approved Scanning
Vendor<br><br>-----Original Message-----<br>From: <a ymailto="mailto:dataloss-bounces@attrition.org" href="mailto:dataloss-bounces@attrition.org">dataloss-bounces@attrition.org</a><br>[mailto:<a ymailto="mailto:dataloss-bounces@attrition.org" href="mailto:dataloss-bounces@attrition.org">dataloss-bounces@attrition.org</a>] On Behalf Of<br><a ymailto="mailto:macwheel99@wowway.com" href="mailto:macwheel99@wowway.com">macwheel99@wowway.com</a><br>Sent: Monday, August 25, 2008 9:10 PM<br>To: *Hobbit*; <a ymailto="mailto:dataloss@attrition.org" href="mailto:dataloss@attrition.org">dataloss@attrition.org</a><br>Cc: <a ymailto="mailto:macwheel99@wowway.com" href="mailto:macwheel99@wowway.com">macwheel99@wowway.com</a><br>Subject: Re: [Dataloss] Best Western Response<br><br>Another hotel chain overcharged me a few days on my Master Card.<br><br>I had told them I planned to stay to a particular date, then I checked<br>out early, and the checkout paperwork
correctly reflected the # days I<br>had stayed.<br><br>When I saw that my credit card bill was much bigger than the paperwork<br>they gave me on checkout, I called to get it fixed. They fixed it.<br>They did not need me to give them my credit card # again.<br><br>I was calling them 2 weeks after I checked out, when I saw my credit<br>card bill.<br><br>The chain was Econo Lodge.<br><br>On Mon, 25 Aug 2008 20:00:24 +0000 (GMT), *Hobbit* wrote<br>> ... how come I can call Best Western and make a reservation on my<br>> Visa card, without informing them of the number? and I haven't<br>> slept in a Best Western in 5 years?<br>> <br>> And your card number hasn't changed in 5 years either?? Hmmm...<br>> <br>> But I would be hard pressed to believe that any hotel chain large or <br>> small ever destroys their records of people's card numbers.<br>> I would call bullshit on BW's "response"
based on that alone.<br>> <br>> _H*<br>> _______________________________________________<br>> Dataloss Mailing List (<a ymailto="mailto:dataloss@attrition.org" href="mailto:dataloss@attrition.org">dataloss@attrition.org</a>) <br>> <a href="http://attrition.org/dataloss" target="_blank">http://attrition.org/dataloss</a><br>> <br>> Tenable Network Security offers data leakage and compliance monitoring<br><br>> solutions for large and small networks. Scan your network and monitor <br>> your traffic to find the data needing protection before it leaks out! <br>> <a href="http://www.tenablesecurity.com/products/compliance.shtml" target="_blank">http://www.tenablesecurity.com/products/compliance.shtml</a><br><br><br>--<br>WOW! Homepage (<a href="http://www.wowway.com" target="_blank">http://www.wowway.com</a>)<br><br>_______________________________________________<br>Dataloss Mailing List (<a
ymailto="mailto:dataloss@attrition.org" href="mailto:dataloss@attrition.org">dataloss@attrition.org</a>)<br><a href="http://attrition.org/dataloss" target="_blank">http://attrition.org/dataloss</a><br><br>Tenable Network Security offers data leakage and compliance monitoring<br>solutions for large and small networks. Scan your network and monitor<br>your traffic to find the data needing protection before it leaks out!<br><a href="http://www.tenablesecurity.com/products/compliance.shtml" target="_blank">http://www.tenablesecurity.com/products/compliance.shtml</a><br>_______________________________________________<br>Dataloss Mailing List (<a ymailto="mailto:dataloss@attrition.org" href="mailto:dataloss@attrition.org">dataloss@attrition.org</a>)<br><a href="http://attrition.org/dataloss" target="_blank">http://attrition.org/dataloss</a><br><br>Tenable Network Security offers data leakage and compliance monitoring<br>solutions for large and small networks.
Scan your network and monitor your<br>traffic to find the data needing protection before it leaks out!<br><a href="http://www.tenablesecurity.com/products/compliance.shtml" target="_blank">http://www.tenablesecurity.com/products/compliance.shtml</a><br></div></div></div></body></html>