From my experience the travel industry are the worst offenders of data security. I remember making booking on booking.com and not having to pay for my booking, and I wondered how hotels can confirm bookings, when I went to check in at the hotel I asked this question to the front desk staff, and they simply told me “oh we get a fax or email from the OTA of your credit card information”. You can imagine the look on my face when that happened.
Here I am building my online business using tokens with pci dss compliant payment gateway and all these businesses out there don’t even care.
My lesson learned then was these industries will do anything to make it more convenient for the travelers to book, even compromise on security.
They have to support the lowest common denominator. I worked for a company that did camping reservations. Our system for remote sites involved a ranger getting up at 4am, starting a generator and powering up a fax machine. That was seen as an improvement over travelling 40 miles to get a weekly, guaranteed useless list or the honor system and cash payments.
It's like anything else, companies don't lift a finger unless it costs them money or runs them afoul of regulators.
Sending credit cards via FAX to be printed out is not only OK with PCI DSS, it's recommended. The reason companies like Booking.com do this is because the credit card companies wanted it this way.
I remember having a chat with a small guesthouse owner a few years ago, he showed me what the OTA sent through to them which was clear copy text of the booking along with all the credit card details. The big online OTA would directly charge the customer 15% deposit if I remember correctly which they banked as their commission - kind of clever removing the big remittance headache. It was then down the hotel to directly capture the remaining balance and enforce the cancellation rules. He explained that if customers don't turn up he takes the credit card details down to the road to a small independent unrelated travel agency which attempts to hit the card and charges him 10% for privilege, he says it's about 50/50 weather the card authorizes. I think this still happens.
This definitely still happens, but I think implicit in your post and this thread in general is the unstated statement "...and this is a horrible state of affairs that shouldn't persist for even one more day!".
Ultimately it's the credit card companies that regulate this playing field, and up to a certain point they're happy to make a large trade-off between security & convenience, because they can work the security issues into their processing fees.
Credit card companies aren't dumb, of course they know that small Mom & Pop hotels are going to have horrible security practices when it comes to credit cards. They also know that any security issues are going to be contained to the customers of that establishment.
This is why PCI puts a huge amount compliance burden on companies such as payment processors and travel agencies that process a lot of credit cards, but by-and-large ignore small players.
The hotelier you described and his method of ad-hoc charging credit cards with a 10% fee at some unrelated business is surely in violation of some PCI rule(s), but that's going to be a matter between his customers and his bank, not all customers of the travel agency and Visa/MasterCard.
Booking.com literally became successful because they build this massive infrastructure around European hotels that refused to update their booking systems past fax and phone calls
I wish I had the level of audacity or ignorance these people have and send plaintext user data over http, write half-assed webapps that just look pretty but offer no security etc etc. I would be in a much better place right now from a professional point of view. But I just can't do it.
Here I am building my online business using tokens with pci dss compliant payment gateway and all these businesses out there don’t even care.
My lesson learned then was these industries will do anything to make it more convenient for the travelers to book, even compromise on security.