This is what the American Hotel & Lodging Association calls "an urban legend" that has been bouncing around cyberspace ever since Oct. 6, 2003, sourced to an extremely generic "Metropolitan Police Service." Its origins lie in a misunderstanding that prompted a Pasadena police detective to hit the e-mail panic button, firing off an errant missive that is now taken as gospel truth.
MGM Resorts International spokesman Alan Feldman provides the short-version answer to your question: "No, this is an urban myth that creeps up every so often. The magnetic stripe on room keys contains the room number and basically a 'yes' or 'no' command that indicates whether the guest can charge food to their room. Nothing else."
Now for the full story ...
A group of fraud detectives were meeting and "Someone there happened to say that they heard it was possible to put this information on this key card." The Pasadena flatfoot put two and two together, got five and the result is the ‘mythinformation’ which you were e-mailed. Once the story got loose, the Pasadena P.D. tried to rein it in, according to Det. Ronnie Nanning, who stated that her department had been told "time and time again that this is not the policy," according to the hotel chains contacted.
City of Pasadena spokeswoman Janet Pope subsequently elaborated, "As of today, detectives have contacted several large hotels and computer companies using plastic card key technology and they assure us that personal information, especially credit card information, is not included on their key cards. The one incident referred to appears to be several years old, and with today's newer technology, it would appear that no hotels engage in the practice of storing personal information on key cards."
Hilton Hotels Corp. executive Kathy Shephard went further, calling it "just a nasty rumor. Our key cards are encrypted with minimal information -- the guest's name, room number and arrival and departure dates -- and encrypted in such a way that they can't be read by ordinary card readers," she told freelance writer David Emery in a 2003 interview.
Insurance consultant Jake Stroup, citing anonymous industry sources, disagrees somewhat. If the front-desk machine that codes your card is discrete from the registration computer, you’re fine. However, if encoder and registration computer are linked, "it is possible to put any information on the card that is in that computer, including payment information [using the two magnetic strips usually left blank]. If you can use your keycard at the hotel to bill something to your room, the information is probably linked somewhere in the system."
But payment information is not resident upon the card, according to hotel professionals (although it is practiced in Europe). When charging meals or purchase to one’s room, the minimal information stored in your card goes into a point-of-sale server. The transaction info is then routed to the central-property management server, where your charge-card information is kept and bills are generated. Stroup adds that putting that financial data onto the keycard would be legally risky for the hotel.
Plastic room cards came into vogue in the 1990s, partly as a means of keeping track of the physical room inventory. Unlike the good, old, heavy room key, good for entry at any time, keycards are "blanked" when one checks out. Thus, if the key "walks" (and many do), the hotel is at no risk … nor does it have to go to the locksmith to have a new key cut. And since keycards are often emblazoned with the hotel’s logo or other colorful imagery, they make popular souvenirs. Stroup says it’s fine to keep doing so, writing that "it won't hurt a thing to shred your keycards when you're done with them," should any doubt linger in your mind.
What is possible is that a keycard wiped blank of information could be encoded with stolen personal information – quite a different thing. According to Snopes.com, the same thing could be done with your "grocery store loyalty card, a casino’s slot card, or any generic keycard … The nature of the card itself didn’t matter, nor did the information it has previously contained …" Furthermore, according to an industry veteran Snopes.com interviewed, guests’ ability to check out through their in-room TV further diminishes the need to have anything more than your room number and dates of stay magnetically coded.
Given the amount of guest data that is resident upon the hotel’s computer, transferring it to a card that simply functions as a means of unlocking doors creates an inherent redundancy. An unnamed Hilton executive told Snopes that encoding additional information onto keycards "would be pointless and would create additional work (and expense)." And the hotel industry frowns upon expending any effort – like maid service -- that is not absolutely necessary. Furthermore, room locks are not wired into some sort of mainframe (imagine the cost) but are what’s described as "stand-alone, battery-powered devices."
In a 2006 survey that should have definitively settled the issue, Computerworld staffers tested 52 different hotel cards on a standard-issue swipe-card reader and found most "completely unreadable." Even those that could be deciphered didn’t contain "personally identifiable information … Most card keys aren't readable because electronic lock systems use proprietary encoders and readers."
Computerworld backstopped its study by having its findings double-checked by MagTek, which manufactures card readers. MagTak independently tested another 48 hotel-room cards. None yielded any data that would be of use to an identity thief. Again, a thief could code information onto a blank, stolen keycard – but he’d have to already be in possession of your credit card or ATM card for you to be at risk.
