The deeper issue here may be what's legal. Look at the laws for your jurisdiction...they may or may not allow storing of credit card numbers or other information. The law on this in Canada, for example, is very grey. It basically is worded in such a way that you "have to take reasonable precautions to ensure that sensitive information is protected" (I got that wording from a civil servant). But what exactly
are reasonable precautions? Password protection? PGP? etc.
As far as your specific situation, what you may want to look at isn't actually taking the payment initially, but putting a hold on the card upfront and then collecting the deposit later on the card. The difference between a hold (or an Authorization Only, according to
Authorize.Net) is in the steps.
Step 1: Card is checked to see if funds are available.
Step 2: If funds are available, funds are then put on "hold", whereby the funds are allocated to the merchant (in this case, the hotel) but not actually taken off the customer's card. In other words, the transaction isn't actually complete.
Step 3: The hotel checks to see if the room(s) or whatever are available.
If rooms are available, the hotel then completes the transaction and withdraws the funds from the customer's credit card.
If rooms aren't available, the hotel cancels the transaction and for the customer, it's as if the transaction never occurred in the first place.
The advantage of a hold is that the hotel knows the customer can afford to pay for the hotel when they check for availability while the customer doesn't get billed until the hotel confirms availability, so there's no waiting 6 weeks for a chargeback.
Anyway, that's how I'd handle it.
