It's only fitting that readers of this blog have an early look at Monday's feature story about whether hotel card keys contain any personal information, since it was your comments that prompted me to try to find answers.
Is there really any personally identifiable information on that magnetic stripe on your hotel card key? As the headline implies in It's Just the Key to Your Room, it is unlikely that anyone will find any personal data stored on a hotel card key, other than possibly your name, even when those card keys are used to make charges at resorts. I came to this conclusion after talking with experts about how card key systems are designed to work, reviewing possible scenarios where personal data might have been encoded on cards, and testing 100 cards gathered at random from a wide variety of lodging establishments in the U.S.
What prompted all this? Last September in this space I posted remarks made by an IT director who said he had found personal data on hotel card keys at three properties where he stayed. This included his name, address and credit card number. The posting stirred up much controversy and generated many postings from readers, but few answers came of it. While many people had opinions or anecdotes about what was on the magnetic stripes on card keys, and the lodging industry had ready answers as to why this was impossible, no one had gone out and actually read an assortment of cards to see if any readable data was on them. Readers challenged me to go out and find some answers, so I asked the Computerworld staff for help gathering cards to test. I also asked industry experts to explain exactly how card key systems work, what data normally resides on the cards and how card lock systems exchange data with other information systems in a hotel. You'll find answers in the story.
Over the course of a month our reporters and editors sent card keys from all of the hotels where they stayed. For some strange reason most editors and reporters preferred not to stay in economy lodgings, so I found myself checking into properties such as Motel 6 and EconoLodge. That lead to some memorable experiences. I received cards from vacation resorts, as well as both mid-range and high-end hotels, and tested all of them. I read cards myself using a standard off-the-shelf card reader and then sent them to Terry Benson, Engineering Group Leader at MagTek, a maker of card readers, for additional analysis.
So could our IT director really have found credit card information on his hotel card keys? It's possible. There is a scenario that could explain his experience, as the story lays out. But it's nothing I would worry about.