Do Hotel Key Cards Contain Personal Info?
February 18, 2012 at 6:00 pm Chad Upton 13 comments
By Chad Upton | Editor
I’ve been saving hotel key cards for years because I want to see exactly what is on them.
Years ago, somebody told me that hotel room access cards contained personal info and credit card data. The rumor was that this info was necessary for you to charge items to your room during your stay.
I recently got my hands on a magnetic card reader and started swiping all my old cards. The results fit into three categories.
1. 77% of all the cards could not be read at all. This should not be a surprise to anyone who has ever stayed in a hotel with magnetic card keys; some are notoriously poor at holding their magnetic charge. Another reason they may appear blank is that some systems use non-standard data encoding which make it difficult for an ISO card reader to extract information. Whether the charge is weak, distorted or proprietary, specialized card readers may be able to extract data from these cards. Still, that data would likely fall into one of the two following categories.
2. The information on the card is encrypted or written in a proprietary format. 8% of the cards did yield data of this sort. This makes it extremely difficult to see the meaningful data. Even if you could decode the data, it would still likely fall into category three.
3. Most of the data on the card is unreadable to humans. The other 15% of cards were in this group. The only numbers that could be recognized on any given hotel card were the expiration date, which I was able to match up with my checkout dates from old travel confirmation emails. The expiration date is used by the door lock to ignore your card after you’re supposed to be checked out. If you’ve ever tried to get back into your room after checkout time, you have seen this in action.
Here’s what the data on a hotel card looks like. I highlighted the expiration date which is in yy/mm/dd format:
1122725628023063=1012051500001742
From my research, the remaining numbers on the card can include the room number itself, although I didn’t see any cards where this number was evident, along with a code the door lock uses to grant access to the room and sometimes a code used for billing charges to your room. Generally, the door locks are battery powered and don’t have a link to the reservation computer — the key cards are the only external source of data used to unlock the door.
In many cases, if you watch the hotel employee program your card at check-in they use a standalone device that is completely separate from their computer system. The room number, nights of stay and number of cards being issued are punched in before they program your card. If the card programer is integrated with the computer system then it’s likely just to improve speed and reduce human error since the agent wouldn’t have to manually enter your room data.
Card programmers that integrate with the computer system are also popular at resorts where the key card can be used to make room charges. Your actual credit card info is not on the card. That is against the policy of most credit card companies, not to mention it’s unnecessary. As long as the card identifies you, the charges can be added to your bill. I scanned a couple resort cards which could be used for room charges and found no personal data.
The door locks themselves often store a log of which keys accessed the room and when. So, you should still treat your card with care and let the staff know if it’s lost or stolen. You wouldn’t want somebody else to access your room with your key since the log just knows which key was used, not who used it. The hotel staff typically have a unique key so they can be differentiated from you in the log.
The idea that these cards do contain personal info seems to be a myth perpetuated by a misunderstanding of a credit card fraud presentation that suggested any type of magnetic card could be programmed with stolen credit card info. That said, there are some specific claims of personal info being found on hotel key cards. The Pasadena, California police department mentioned one case in it’s retraction about a previous email indicating hotel key cards could be an identity theft risk. The other case was reported by Robert L Mitchell at Computerworld. For legal and business reasons, his source could not provide proof or indicate the names of the hotels where he claimed to find personal info on the key cards.
There is truth to the idea that the cards could have personal data written to them. Technically, you could write any type of data to magnetic cards. In fact, I scanned every magnetic card I could find: credit, debit, loyalty club, membership, etc. All of my bank related cards and one of my airline loyalty cards did have my full name programmed into the magnetic strip.
I wasn’t too worried about that since my name is also on the front of these cards for anyone to read. I shred anything personally identifiable before I throw it out and these cards would be no different. I didn’t find any cards with any personal info magnetically programmed on them that wasn’t also on the front.
All of my results, including the exact percentage of readable cards, match up with Robert L Mitchell’s findings at Computerworld.com. Robert interviewed a number of industry experts and they stated that it is extremely unlikely that any travelers in the US would find personal private information on their hotel key cards. That’s not to say it’s impossible, but they weren’t convinced the probability was high enough for anybody to worry about it.
While most experts agree that current systems are likely very secure, there is suspicion in the industry that very old card key access systems from years past may not have been as secure and these systems may have included personal information on the cards. Although there are a couple unproven claims to the contrary, I cannot find any demonstrable proof that hotel key cards have any personal info on them.
Broken Secrets | Facebook | Twitter | Email | Kindle
Sources: nytimes, consumer affairs, Computerworld (2005, 2006), snopes.com
Entry filed under: Demystified, Travel. Tags: 3 track, access, card, cruise, hotel, key, keycard, magnetic, motel, reader, resort.
Broken Secrets 
1.
Kristen | February 19, 2012 at 2:50 pm
good to know; I always wondered…
2.
Denis McKeon | February 20, 2012 at 1:42 am
I seem to recall that police found a guy who programmed a card
writing device to write stolen credit card data to some old hotel
cards he had collected for the purpose.
The apparent rationale was that he could use the hotel cards in
unattended swipe devices (gas pumps & similar), without carrying
cards that were visibly odd – multiple names, multiple instances of
a similar card type, or multiple blank (white, or no-logo) cards.
Would not multiple old hotel cards be thought odd?
“Oh, those are just souvenirs.”
So, *in theory*, “hotel cards could carry CC data” but not very
likely a card that you might get from a hotel desk – in practice,
what hotel would risk the PCI/DSS penalties?
3.
Wendy | February 21, 2012 at 12:45 am
Thank you for all your time and extremely helpful information:)
4.
Chad Upton | February 24, 2012 at 12:08 am
Thanks for visiting Wendy!
5.
Leah | February 25, 2012 at 2:00 pm
I work at a mid-level hotel, and you are exactly right in your analysis here! We do not keep any personal information on the card, except for the room number and checkout date/time. I do not know of any hotels in our range that keep any sort of credit card data on the hotel keys at all.
6.
Goliath | March 13, 2012 at 10:24 am
I have around 100 room cards collected over the past year, only because it’s nice to look at them and get back the memories of my travelings around the world.
7.
Bill Fane | May 5, 2012 at 1:49 am
My Credentials:
For 27 years I was a product engineer and then Product Engineering Manager for Weiser Lock at their Burnaby plant. I helped to develop the first card-reader hotel lock system. Check out US patent # 4,663,687.
The Myth:
Hotel key cards contain your name, address, credit card info, etc.
The Truth:
This is pure fiction. There is absolutely no need for a hotel card to contain any of your personal or credit card information. What the card does contain is:
1. A “blind” hotel property code, issued by the lock company, so a given card will only work in the one hotel. Note that this is not the name of the hotel as human-readable text.
2. A “blind” lock number code. This is not the room number, because locks sometimes get moved from room to room for maintenance purposes.
3. Your access code.
4. The access code of the next guest who will be using the room after you.
5. Your check-out date, in a “blind” code.
Here is a highly-simplified explanation of how the system works:
Each lock contains two memory locations, and the front-desk computer contains two memory locations for each room. When you check in, the computer:
1. Takes the access code from its memory location B and writes it to your card in position A.
2. It takes your code from computer memory B and moves it to memory A.
3. It generates a new code for the guest who will follow you and stores it in memory B.
4. It writes the new code to position B on your card.
5. It writes the check-out date to your card.
When you arrive at your room and use your card for the first time, the lock:
1. Checks that you are in the correct hotel and at the correct room and that it is not past your check-out date.
2. It reads the code from position A and compares that to the code stored in its memory A. It doesn’t get a match, but before it rejects you it checks against its memory B.
3. Finding a match in memory B, it moves your code to memory A and places the code from your card position B in its memory B. The card for the guest before you will never work again unless it is re-coded for a later guest.
From now until you check out, your card position A matches its memory A so it lets you in and the lock is ready to welcome guest B.
Note that there are no wires or radio connections between your lock and the front desk computer. Your card carries the required re-keying information, so each room lock remains synchronized with the front-desk computer.
The computer and the locks also contain additional memory pairs for Housekeeping and Management codes, and the front desk computer can generate one-time-only cards for Maintenance personnel to use.
The locks also typically contain a record of the last dozen or so different cards that were used to enter the room. For example, if a usage sequence went something like Housekeeping – You – You – You – You – Housekeeping – Housekeeping – You – You – Maintenance – You – You then this would be recorded as Housekeeping – You – Housekeeping – You – Maintenance – You.
Yes, some hotels can use your room key to charge things to your account, but they don’t need any personal information on the card to do this. The card readers at the point of purchase are hard-wired back to the front desk computer so the charges can be tallied “instantly”. The sales person may ask your name for confirmation, but that came back from the main computer and not off your card.
8. Unknown person is using my points for a poor value stay - Page 4 - FlyerTalk Forums | May 29, 2012 at 8:45 am
[…] a rumor, not fact. Not everything googled is current but this 2012 article makes sense…. https://brokensecrets.com/2012/02/18/…personal-info/ …..maybe a problem for old card access systems at one time and rumors are still around because […]
9.
tori | June 5, 2012 at 2:49 am
i have been an auditor at a hotel for 2 years and no they do not contain the info. . They include as for the numbers . . Number of nights. . Expiration. . Guest number on file and property id number for the location the key should be returned to as well as how many occupants are in the room
10. Hotel cards | Premiervirtual | September 3, 2012 at 1:00 am
[…] Do Hotel Key Cards Contain Personal Info? « Broken SecretsFeb 18, 2012 … By Chad Upton | Editor I’ve been saving hotel key cards for years because I want to see exactly what is on them. Years ago, somebody told me … […]
11.
Viktor | January 20, 2014 at 8:48 am
This, Bill Fane for such an exhaustive explanation. I’ve been digging for a while to get this details.
One more question, what format is using to write information on cards? It is not compliant with any ISO (neither 7 nor 5 bits). Any idea on this?
12.
Kish | February 2, 2014 at 11:22 am
Viktor, I’ve been doing some research into this as well (mostly swiping any hotel card I have through my three track reader). Unfortunately I always get “%E?” as the output. or “;E?” or “+E”
And I have a large collection of key cards. I actually am a manager at a hotel, but only part time, as I also go to college, so I’m not always there. But one of my keys in my wallet is an Emergency level key, which essentially opens all doors at the hotel I work at, irregardless of deadbolt being engaged or not. When I try reading that key, the output is “;E?+E?”
So of course, I’m lead to believe that some other standard is in use, but I have no idea how to go about reading the information.
13.
Viktor | February 6, 2014 at 3:58 am
Hi, Kish. Thks for info, but most probably you read track 1 or 2 which usually is blank, or keeps hotel/room id information and is not used for lock opening. The key information is usually stored on track 3. You should be able to read it by selecting the RAW format in your reader application. Here are some examples oа track 3 in HEX from different hotels:
E6AEC67517C7D709E9ABE6E69EEE2021E7669966E6E6E6E6E6E6E6E6E6E6E6E6E6C0
C54C2A1FCDBC8FC376BCEE3E96EC1E472F64E9DF20
Unfortunately I didn’t find a way to decode it, as i have no clue what format is it. What we need to know is the encoding table, BPC (bit per character) and parity bit. It could be that data is encrypted somehow. But unfortunately didn’t find any documentation about that.
I believe Bill Fane could bring a ray of light on this subject.