[Dataloss] Best Western Response

JAMES RITCHIE james_ritchie at sbcglobal.net
Tue Aug 26 19:40:37 UTC 2008


Loophole that is found.

If each local hotel gains their own merchant ID, processes the transaction through a payment gateway that is not the corporate headquarters, then their level will be determined on that merchant ID, not the aggregate of all the hotels.

If each hotel processes through corporate headquarters (now becomes the gateway) to the payment gateway, then the aggregate of all hotels would be combined into one.

I have seen where each location was forced to get their own merchant ID and payment gateway to keep the transactions down, thus keeping the cost of audits down.

 James Ritchie
http://www.linkedin.com/pub/1/b89/433





----- Original Message ----
From: "Harris, Michael C." <HarrisMC at health.missouri.edu>
To: dataloss at attrition.org
Cc: macwheel99 at wowway.com
Sent: Tuesday, August 26, 2008 2:41:57 PM
Subject: Re: [Dataloss] Best Western Response

There is something missing here, that doesn't true out with the
expectations in the PCI standard for a level one payer.  Smaller mom and
pop level four establishment may slip by, but the mandatory audits of
level one folks should be forcing some change across the hospitality
industry... Perhaps slowly.  It should have been identified as an audit
point with a remediation plan in the quarterly or yearly PCI audit.

So who was the last quarterly PCI auditor for Best Western? Is PCI that
broken or ignored?


Level One 6,000,000 transactions per year
Annual On-site PCI Data Security Assessment and Quarterly Network Scan 
Qualified Security Assessor or Internal Audit if signed by Officer of
the company Approved Scanning Vendor

Level Two  1,000,000 to 6,000,000 transactions
Annual On-site PCI Data Security Assessment and Quarterly Network Scan 
Merchant Approved Scanning Vendor

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of
macwheel99 at wowway.com
Sent: Monday, August 25, 2008 9:10 PM
To: *Hobbit*; dataloss at attrition.org
Cc: macwheel99 at wowway.com
Subject: Re: [Dataloss] Best Western Response

Another hotel chain overcharged me a few days on my Master Card.

I had told them I planned to stay to a particular date, then I checked
out early, and the checkout paperwork correctly reflected the # days I
had stayed.

When I saw that my credit card bill was much bigger than the paperwork
they gave me on checkout, I called to get it fixed.  They fixed it.
They did not need me to give them my credit card # again.

I was calling them 2 weeks after I checked out, when I saw my credit
card bill.

The chain was Econo Lodge.

On Mon, 25 Aug 2008 20:00:24 +0000 (GMT), *Hobbit* wrote
> ... how come I can call Best Western and make a reservation on my
>    Visa card, without informing them of the number?  and I haven't
>    slept in a Best Western in 5 years?
> 
> And your card number hasn't changed in 5 years either??  Hmmm...
> 
> But I would be hard pressed to believe that any hotel chain large or 
> small ever destroys their records of people's card numbers.
> I would call bullshit on BW's "response" based on that alone.
> 
> _H*
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org) 
> http://attrition.org/dataloss
> 
> Tenable Network Security offers data leakage and compliance monitoring

> solutions for large and small networks. Scan your network and monitor 
> your traffic to find the data needing protection before it leaks out! 
> http://www.tenablesecurity.com/products/compliance.shtml


--
WOW! Homepage (http://www.wowway.com)

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080826/50e43fb3/attachment.html 


More information about the Dataloss mailing list