Re: Card numbers
Well Mariott use The Opera property management system which is now owned by Oracle.
They were also one of the first to sign up to using it in the Oracle Cloud. Therefore there should not be a customer database that would locally be accessible to anyone.
The Opera system can also utilise the Oracle Payment Interface (OPI). This does allow modern fully tokenised credit card support, however this has only been available for a short time and would not be the default with this service.
Opera also has a number of APIs that allow you to retrieve and download customer data and can download CC data that isn't tokenised.
So maybe they were polling the data down from the cloud into a separate db, maybe their web service was copying the data to an internal db when it was making the booking.
Marriott have said "We also do a lot of research on transactional data to understand the value of getting an additional point of conversion through a new medium and what helps to drive that conversion. Based on what the data shows us and what customers are telling us, we try to marry the two together to reach informed decisions about the business."
So it would seem they like to pull data into a centralised analytics system of some kind.
Hopefully it won't be Oracle's cloud which has had issues!
Biting the hand that feeds IT
