Should you be worried about the information contained on your hotel key card?
Updated: Dec 12, 2022
One of my friends recently asked me whether it was true that your hotel room key card contains your credit card information. This reminded me of a co-worker I used to travel with, who had a pile of old key cards sitting at home because she was afraid to leave them at the hotel. It sounded like some investigating was in order. There’s a lot of often conflicting information out there, but public concern around this issue first seems to have spiked in 2003, due to some warnings originating with the Pasadena, CA, police department. In a presentation on current fraud techniques, an expert on identity theft had demonstrated how hotel key cards could be wiped and used to store someone’s personal and credit card information. An over-eager detective had taken this to mean that all hotel key cards have this data encoded on them, and proceeded to warn colleagues, who warned other people, who passed the information on … you get the idea.
So what are the facts?
The magnetic key card technology still used by most hotels allows any kind of information to be coded onto the cards, it’s just a question of how the system is set up.
A majority of hotels will only store a unique ID tied to the guest, as well as an expiry date (the day/time the guest is expected to check out) on the card.
Most key card systems aren’t even linked to the hotel’s front desk system, which is where personal and credit card information is stored.
Storing anything other than what is required to open the hotel room door on the key card is an obvious security risk, and not one a hotel will want to take.
A number of people have taken matters into their own hands and examined key cards from various hotels. (See reports from Computerworld and Consumer Affairs.) In one case, 100 or so key cards were analyzed, and they were mostly unreadable by an off-the-shelf card reader. In another, volunteers were sought at a conference, and their key cards swiped through a credit card reader. This was a small sample size, but about half the cards contained personal and/or credit card information.
Some mitigating factors
The furore and the tests described above all took place between 2003 and 2006. Since then, concerns have largely died down. In the past 10 years, many key card systems will have been replaced – new technology is being implemented: Think of the cards you no longer have to swipe, but just hold up against the lock, or hotels that let you use your smart phone as a key (more on the latter in a future post). The public concern raised several years ago, as well as growing cyber security issues, no doubt also contributed to more awareness in the hospitality industry regarding the dangers of storing sensitive and unnecessary information on key cards.
As much as I’d like to say that credit card information on hotel room key cards is an urban myth, I can’t, because there’s proof that in some cases exactly that was found. However: I do believe that a majority of the time, the data stored on your key card is just enough to open the door to your hotel room, and expires on the day you check out. By all means, if it makes you feel better, take the cards home with you and destroy them (at 10 cents apiece, hotels don’t really mind), but in all likelihood, you’re safe to leave them in the room or drop them off at reception – which is the more environmentally friendly option in any case. While identity theft criminals may still use magnetic strip cards to store other information, they would wipe prior existing data (such the ID that allowed you to unlock your room) before re-encoding them.