22

I was talking to a hotel and to reserve a room, they asked for my credit card details.

It was not a payment via a secure link like online shopping (where I even get an app notification to authorise a specific amount which is shown in the notification that I authorise).

But the hotel asked the following details on an email

  • Card Number (it's a master card)
  • My name
  • Expiry date

Surprisingly, they did not ask for CVC, and I did not give it either. But nonetheless, after about a week, I got a message from my bank that my account has been charged with the amount (in a foreign currency, where the hotel is located).

This transaction in itself is legit, but it got me thinking, is it that easy to charge a card without even knowing the CVC and an app notification for me to authorise it?

How does it work behind the scene? Does it mean my bank will give the money to anyone who comes to it with the credit card number? Or, did the hotel operator forward my credit card details to its own bank, which came to my bank get the money? How does either bank verify the amount, or whether subsequent transactions are authorised from the same card? Is it purely a matter of trusting that merchant?

If the details matter, my bank is

  • DBS (a Singapore bank)
  • the merchant is Hilton Hong Kong

But I suppose the rules should be agnostic to these details?

MJD
  • 144
  • 8
Della
  • 341
  • 1
  • 4

3 Answers3

36

Yes, that's how it was for decades. CVC is a relatively new addition, and pre-approval is not necessary.

Generally, a transaction that was not pre-approved, was not made in person, and the merchant doesn't have any details other than those printed on the front of the card (like what you're describing) would be immediately reversed if the cardholder disputed. But if the transaction is legit as you say, then there's no problem.

littleadv
  • 190,863
  • 15
  • 314
  • 526
15

Payment processors have a LOT of flexibility as to what it can be charged with. The issue isn't whether it can be charged, but who loses money when it is contested.

There are multiple levels of security the vendor can choose, from the extremely risky "Charge only on number, ignore any warnings", to "Everything must absolutely match, and reject on any errors". Neither extremes are viable options.

What happens is different levels of security gives different levels of protection and liability. If the vendor decides to charge a card based on number alone, with no check on name/expiry validity, then vendor eats the cost and the CC isn't even going to bat an eye when they refuse the charge. It's pretty stupid to do this and nobody really does this, but you CAN do it.

Of course, if a merchant has rampant amounts of fraudulent charges, then they're going to land in hot water very fast.

Nelson
  • 1,006
  • 9
  • 12
7

What you described (minus the whole sending your card details over email ) is literally exactly the same details that the world's largest online retailer - Amazon - use to charge debit & credit cards (in the UK, maybe elsewhere too).

They do not ask for or need your CVV/CVC security code to charge you:

It is up to the merchant to choose which anti-fraud checks they do. One such check is CVV code. Another common check is that the address you gave matches the one held on file at your bank or financial institution - but again this is optional, and it is up to the merchant; since they are the ones who would incur a chargeback fee from their payment processor, have a high fraud rate with them, etc.

The "rules" that you are talking about, that apply to merchants, are typically PCI DSS. You mentioned that your card is a Mastercard. Mastercard require compliance with PCI DSS; as do Visa, American Express, Discover, and JCB, plus others. A PCI DSS compliant merchant should never ask you to send your card details over email. I am 99% sure that this is a breach of these regulations. After a quick skim of the requirements, this requirement stands out to me:

Encrypt transmission of cardholder data on open, public networks.

Email is very much NOT encrypted, and the internet (which emails use to send & receive) is an open public network! (As opposed to an intranet or internal network, which would be private).

In future you might want to use a virtual card or a disposable card, from a bank like Revolut, for paying merchants you don't trust. This gives you a different card number to your main physical card, whenever you want [another] one. Once you've used it you can freeze it (in the case of a virtual card) or it will automatically be deleted (in the case of a disposable card).

Thankfully the Hilton Hotel is a reputable company, but you could always get a rogue member of staff (in any company or country). Regarding the crime rates in Hong Kong:

In 2022, fraud cases rose 45 percent compared to the previous year. The first five months of 2023 saw an almost 60 percent increase in fraud cases.

Danny Beckett
  • 181
  • 4