BreachExchange mailing list archives
Re: Best Western Response
From: JAMES RITCHIE <james_ritchie () sbcglobal net>
Date: Tue, 26 Aug 2008 12:40:37 -0700 (PDT)
Loophole that is found. If each local hotel gains their own merchant ID, processes the transaction through a payment gateway that is not the corporate headquarters, then their level will be determined on that merchant ID, not the aggregate of all the hotels. If each hotel processes through corporate headquarters (now becomes the gateway) to the payment gateway, then the aggregate of all hotels would be combined into one. I have seen where each location was forced to get their own merchant ID and payment gateway to keep the transactions down, thus keeping the cost of audits down. James Ritchie http://www.linkedin.com/pub/1/b89/433 ----- Original Message ---- From: "Harris, Michael C." <HarrisMC () health missouri edu> To: dataloss () attrition org Cc: macwheel99 () wowway com Sent: Tuesday, August 26, 2008 2:41:57 PM Subject: Re: [Dataloss] Best Western Response There is something missing here, that doesn't true out with the expectations in the PCI standard for a level one payer. Smaller mom and pop level four establishment may slip by, but the mandatory audits of level one folks should be forcing some change across the hospitality industry... Perhaps slowly. It should have been identified as an audit point with a remediation plan in the quarterly or yearly PCI audit. So who was the last quarterly PCI auditor for Best Western? Is PCI that broken or ignored? Level One 6,000,000 transactions per year Annual On-site PCI Data Security Assessment and Quarterly Network Scan Qualified Security Assessor or Internal Audit if signed by Officer of the company Approved Scanning Vendor Level Two 1,000,000 to 6,000,000 transactions Annual On-site PCI Data Security Assessment and Quarterly Network Scan Merchant Approved Scanning Vendor -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of macwheel99 () wowway com Sent: Monday, August 25, 2008 9:10 PM To: *Hobbit*; dataloss () attrition org Cc: macwheel99 () wowway com Subject: Re: [Dataloss] Best Western Response Another hotel chain overcharged me a few days on my Master Card. I had told them I planned to stay to a particular date, then I checked out early, and the checkout paperwork correctly reflected the # days I had stayed. When I saw that my credit card bill was much bigger than the paperwork they gave me on checkout, I called to get it fixed. They fixed it. They did not need me to give them my credit card # again. I was calling them 2 weeks after I checked out, when I saw my credit card bill. The chain was Econo Lodge. On Mon, 25 Aug 2008 20:00:24 +0000 (GMT), *Hobbit* wrote
... how come I can call Best Western and make a reservation on my Visa card, without informing them of the number? and I haven't slept in a Best Western in 5 years? And your card number hasn't changed in 5 years either?? Hmmm... But I would be hard pressed to believe that any hotel chain large or small ever destroys their records of people's card numbers. I would call bullshit on BW's "response" based on that alone. _H* _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
-- WOW! Homepage (http://www.wowway.com) _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Re: Best Western Response, (continued)
- Re: Best Western Response Harris, Michael C. (Aug 26)
- Re: Best Western Response DAIL, WILLARD A (Aug 26)
- Re: Best Western Response Jamie C. Pole (Aug 26)
- Re: Best Western Response security curmudgeon (Aug 26)
- Re: Best Western Response Michael Hill, CITRMS (Aug 26)
- Re: Best Western Response Jamie C. Pole (Aug 26)
- Re: Best Western Response Daniel Clemens (Aug 26)
- Re: Best Western Response Jamie C. Pole (Aug 26)
- Re: Best Western Response security curmudgeon (Aug 26)
- Re: Best Western Response Jeffrey Walton (Aug 26)