Conversation with my travel agency:
Conor: Hey, I need a reservation at xxx (a hotel in the UK)
Agent: (after searching for a while) I can't find that hotel, has someone else from your group stayed there?
Conor: Try so-and-so, he's stayed there before but I don't know how recently.
Agent: (finding so-and-so's records) Hmm... (mumbling stuff he's reading) Nope... Don't see that hotel in there.
Conor: I have the web URL do you want that?
Agent: (looks it up himself, and get's phone number) I'll have to call them can you hold for a few minutes?
Conor: Sure... (waiting patiently -- mostly because I'm off doing work while I wait)
Agent: OK, they have a room... Hmm.. you have a Discover card on file, but the don't accept that.
Conor: Don't you have an American Express Card on file for me?
Agent: No, but let me look at your other hotels for this trip... yes, I see it... Be right back (he's off to talk to the hotel again)
Agent: (coming back) Hmm, they need your signature ID
Conor: (knowing that he's talking about the CID) It's xxxx.
Agent: (after going to talk to the hotel again) OK, we have the room but they asked me to email the reservation request to them and then they will send the confirmation number.
Agent: (the next day, in email) Here's your confirmation email.
While this is my recollection of a recent conversation with my current travel agency, I have had almost the exact same conversations with previous agencies.
So, what's wrong with this conversation?
- The agent has access to the complete, plain text, credit card number in each of my records (including pulling it up on completed reservations). A better solution would be to have some form of token that represents the credit card without allowing them to see the actual card number.
- I'm guessing that the agent actually emailed my credit card info (hopefully not, but I couldn't tell from the conversation
- Agents have easy access to anyone's records at the agency (hence the searching of my co-worker's records looking for the hotel) and I presume they too have plain text credit card numbers
Now, I have to admit that I've never had my identity stolen from a travel agency (and I've done a whole lot of traveling -- about to cross the one million miles mark with United when I leave the UK on that trip), so the risk is not tremendous.
However, I think that some work needs to be done to make this process a bit more secure. Agents should not be able to easily see the credit card numbers I've used on other records (and I wouldn't mind having to give it to them again when a case such as the above came up -- they are rare as 90% of my reservations are done without the need for phone calls to the hotel)
Note that I strongly prefer that they are able to make these reservations for me and so I will live with what I consider a relatively low risk in exchange for the benefit of them being able to make my reservations for me. It's also a much lower risk of theft than me reading aloud on the phone my credit card numbers every time I make a reservation.