Hostel wants my Credit Card security code via email, is this legit?

There is no legitimate reason why the hostel should ask this. What is going on here is that charging the credit card without CVC code will incur more costs for the hostel. These costs could be lower if the hostel has a good record. Presumably the hostel has yet to prove that the way they conduct their business is secure enough for the credit card company they deal with to lower the costs for card not present transactions without CVC code.

Giving out your security code via a non secure connection is a very bad idea. By doing this you essentially turn your bank account into a self-service account.

Storing the CVV code in any form is against the PCI DSS Requirements (Payment Card Industry Data Security Standard), and by sending it via email it will be stored on someones computer which might not be secure, has a key logger installed, has some unpatched bugs in the OS exploited by malware or is shared between multiple people.
If it’s a hostel then quite often they have other backpackers handling the reception part time, who are up and away after a few weeks. How do you know they are not taking a copy of the card details with them?

The CVV is your proof that you are in possession of the card, because no online dealer is allowed to store the CVV in any form. That’s why all online dealers who get this right will ask you for your CVV number when you do another transaction with them, even if you clicked “store my payment details” before.

Without the security code all leaked credit card number lists on the internet are useless, because every time you want to make an transaction you will be asked for the CVV (except for recurring payments).

TL;DR: find another hostel, otherwise you are just giving out full access to your bank account.

I had this same issue with a hostel in the UK. I pressed the hostel for an explanation, and also found a forum thread of hostel managers discussing this policy. Both gave the same explanation.

From their point of view, it was so they could take the money out my account if I didn’t show up. They said they do it only in busy periods when they know they’ll be full, so they don’t lose money turning customers away only to find the booked customers don’t show up.

But don’t do it!

Even if you trust this hostel not to deliberately rip you off, you’re putting all the credit card information someone would need to commit credit card fraud, unsecured, unencrypted, stored on (if you’re lucky) a knackered old laptop sitting in a reception, or (if you’re unlucky) in a pile of paper printouts left lying around unattended while the sole staffer that shift fixes some emergency. It would be shockingly easy for a criminal, or even just a random opportunist like a disgruntled hostel staffer, local computer repair guy or guest, to obtain enough information to clone your card or raid your account.

I refused – and instead agreed to pay part (60% if I remember right) of the bill up front via PayPal. This safely resolved their no-show concern and, while not ideal, it secured the accommodation I wanted when everywhere else was full. It’s not super uncommon for busy places to insist on upfront payment – my only unhappiness with this was that it seems dishonest that this hadn’t been apparent at the time I made the booking, and that they didn’t respect the deposit I’d already paid.

HostelWorld give some card details like card number, name, etc to the hostel, but (for good reason) not enough for the hostel to simply take a debit using a standard card machine.

A common, expensive problem for hostel owners is people booking in busy periods then not showing up, leaving rooms and beds empty that could be full. Also (apparently) the deposit you pay to HostelWorld stays at HostelWorld as their fee, so in the event of a no-show, the hostel itself gets nothing, not even a deposit (I only have one hostel’s word on this).

This is a crude, low-tech, possibly illegal and certainly non-PCI-compliant workaround.

Here’s a thread on a hostel-manager forum where they discuss it alongside other ways of dealing with no-shows from HostelWorld and hostelbookers. Somebody rightly points out it:

may breach your T&C’s with your card provider, as well as not being
PCI compliant!

…but it appears to be moderately popular none-the-less…

It’s unlikely that the hostel itself would scam people (but possible), as hostels live and die on their reputation (except well-located tourist traps where all bets are off including “will I wake up with all my luggage and both kidneys”), but still, I’d strongly recommend not complying because:

1. Your full credit card info will be sitting unencrypted on a computer system not set up to safely store credit card information. They might even be in a pile of printed emails sitting on a table, for all you know. For an online shop to accept and store credit card details, it needs to pass tough checks on its server security (PCI compliance) or face a heavy fine. Plain text in an email would definitely fail those checks.
2. Even if you trust the hostel, you don’t know that you can trust everyone who uses the hostel computer. The hostel owner might be legit (albeit ignorant/reckless with their guest’s credit cards), but it’d just take one disgruntled underpaid receptionist, or one dodgy local computer repair person, or one guest who convinces the receptionist that they “urgently” must use the hostel computer for 5 minutes, or one tech-savvy guest or neighbour (email is not secure)…

Since the motivation is usually all about the hostel protecting itself from no-shows, you should be able to negotiate a compromise where you some of the fee up front.

If they won’t, stay somewhere else: they either have more sinister reasons, or are not sufficiently tech-literate to receive money by PayPal (therefore definitely can’t be trusted to keep your card details secure!).

Here’s some excerts from my email exchange to give you an example:

Them:

Thanks for booking with us !

During busy periods we pre authorise credit cards in order to cover
your booking fee should you not arrive I’m afraid were not able to
complete pre authorisation. In order to do this we need your CVC
number that unfortunately was not provided when you made the booking.

In order for us to guarantee your reservation please contact us immediately

Me: (paraphrasing) hell no, I’ve never been asked this before, I’m not putting my card details in an email, and you’ve already got my deposit. Play nicely or I’ll claim a refund on the deposit, book elsewhere and report you to HostelWorld for attempted credit card fraud. (but worded more politely)

Them:

We do not receive deposit . £8.64 was paid already and it is a
Hostelworld.com fee. In our Terms and Conditions is stated ,that we
do pre -authorization and in order to do that,we need CVC number.

There is option to pay in advance by paypal instead of pre –
authorization.

Buried in their terms and conditions:

Pre-Authorisation Policy

The pre-authorisation is not a charge and no funds have been debited
from your account.

Why is the credit card pre-authorised? When you give us a credit/debit card, the pre-authorisation guarantees us that the funds are available to pay for any charges incurred.

How much is a pre-authorisation? The amount that we pre-authorise will depend on the value of your booking and the booking channel you
used to book your reservation

When is the card pre-authorised? All credit or debit cards are pre-authorised within 24/48 hours of you making your reservation… HSBC Merchant Services are responsible for the maintenance and management of the pre-authorisation process.

I didn’t want my card details sitting unsecured in their emails etc, and by this point everywhere else was booked up, so I paid upfront by PayPal instead, which worked fine with no issues.