To understand why personal information is unlikely to appear on hotel card keys, you must first understand how the technology works. Electronic locks that use magnetic cards were developed to address petty-theft problems associated with traditional keys. "Those problems have virtually gone away," says Brian Garavuso, CIO at Hilton Grand Vacations Co. in Orlando and chairman of the AHLA's technology committee. Most keys contain only a room number, a departure date and a "folio," or guest account code -- although other data may be stored on them as well. The door locks, which are stand-alone, battery-powered devices, each contain a sequence of lock codes. The sequence advances when an expired card is swiped or a new card inserted. The lock also logs when a guest, maid or other hotel employee has entered the room. Hotel door locks aren't wired back to the systems at the front desk. Therefore, if a card is lost and a new card is issued, the room remains unprotected until the new card is inserted into the lock and it resets. Hotels use card-key locks because they are relatively inexpensive, make rekeying easy, include a time limit and provide an audit trail of room access.

Most card keys aren't readable because electronic lock systems use proprietary encoders and readers. While ISO-standard cards store data on three tracks on the magnetic strip, hotel lock systems use a proprietary encoding pattern and encrypt room-key data on Track 3, says Mark Goldberg, executive vice president and chief operating officer at magnetic card maker Plasticard-Locktech International LLP in Asheville, N.C. PLI's name appeared on many of the card keys Computerworld tested.

Only 15 percent of the cards tested yielded any data using the USB card reader. The alphanumeric strings did not match any of the users' credit card numbers, nor was any intelligible text found. At MagTek, Benson was able to pull up strings of binary data from the cards but could not decode it. A specialized reader would be needed to decipher it, but "you won't be able to grab one of those off eBay very easily," he says.

Even then, the data would be unreadable because it is encrypted, says Mike Scott, new products manager at Saflok, an electronic lock maker in Troy, Mich.

On the right track?