Hospitality Solution

Hotel RFID Access Control

Whole-Property Guide

Hotel whole-property RFID access control — guest room + elevator destination dispatch + BOH + parking + amenity zones with multi-credential reader heads

Quick answer

Procurement-grade whole-property hotel access-control reference for hospitality + serviced-apartment + cruise procurement teams designing the complete access programme — not just guest-room cards. Covers per-zone reader / credential decisions (room door / club floor / BOH / IT-vault / elevator lobby / elevator car / parking gate / pool / spa / gym / conference rooms / executive lounge), elevator destination dispatch integration with KONE Destination + Otis Compass + Schindler PORT + Mitsubishi DOAS + Hitachi DFRS, the four-vendor CVE timeline (Onity HT 2012 Brocious, Vingcard Vision 2018 F-Secure, SALTO ProAccess SPACE 2019 CVE cluster, Saflok 2024 Unsaflok CVE-2024-29916), Aliro 1.0 (CSA, February 2026 release) unified Apple / Google / Samsung digital-key standard, OSDP v2 Secure Channel migration from legacy Wiegand, PCI DSS v4.0 15-minute session timeout, GDPR access-log retention, ADA / ICC ANSI A117.1 §308–309 reader-mount-height 34–48 inches AFF, and CapEx framing by 100 / 500 / 2,000-key property profile.

  • Design the whole property as one access system, not seven silos. Guest room + BOH + elevator + parking + pool + gym + conference + executive lounge each need a per-zone decision (reader class, credential, factor) but the credential itself should resolve to one card on the guest's lanyard.
  • Elevator destination dispatch (KONE Destination, Otis Compass, Schindler PORT, Mitsubishi DOAS) is now the operational standard for tower hotels. RFID lobby readers assign destination cars before the guest enters; in-car readers gate club-floor access. Plan reader siting against the elevator-vendor's integration spec.
  • Aliro 1.0 (CSA released February 2026) unifies Apple Wallet, Google Wallet and Samsung Wallet digital-key implementations into a single standard. Most hotel access-control pages still describe vendor-specific BLE-app or Apple-Wallet-only flows; the 2026 procurement baseline is Aliro-ready.
  • Cross-vendor CVE timeline matters for procurement: Onity HT (Brocious, 2012, port-shield + firmware fix), Vingcard Vision (F-Secure 2018, ~140,000 hotels affected, patched), SALTO ProAccess SPACE 2019 (CVE-2019-19457/19458/19459/19460, fixed in 5.6), Saflok 2024 (CVE-2024-29916 Unsaflok, ~36% remediated at disclosure). Every multi-vendor estate should map remediation status by lock platform.
  • OSDP v2 Secure Channel (AES-128) is replacing Wiegand 1970s plain-text on new builds. Plan reader migration alongside any RFID refresh — Wiegand on a remediated Saflok system still leaves the reader-to-controller wire as the weakest link.
Request samples
10+ Years ISO 9001 500+ Clients 50+ Countries

Featured Hotel Access Control Products

SKUs we typically deploy for hotel access control. Tap a card for specs and samples.

Assa Abloy / VingCard-Compatible Hotel Key Cards

Assa Abloy / VingCard-Compatible Hotel Key Cards

 Complete guide to RFID keyfobs

Complete guide to RFID keyfobs

 Complete guide to RFID readers

Complete guide to RFID readers

At a glance

Use these short answers to decide whether this page matches the project before moving into the detail.

Audience

Hotel CIO / IT / operations teams designing whole-property access (not just guest-room cards). Serviced apartments + cruise + resort + casino procurement designing multi...

Decision sequence

Per-zone reader-class decision: HF 13.56 MHz (ISO/IEC 14443A; MIFARE DESFire EV3 AES-128) for doors + amenity-zone gates; UHF 860–960 MHz (up to ~5 m read range) for par...

Vendor compatibility map
  • Saflok (dormakaba) — Quantum IV / RT, Messenger LENS, Quantum Plus / Pixel; CVE-2024-29916 firmware remediation status. See /compatibility/saflok-hotel-key-cards/.
  • Vingcard (ASSA ABLOY) — Classic / Essence / Signature / Allure / Flex; Vision (2018 CVE) → Visionline → Vostio. See /compatibility/vingcard-hotel-key-cards/.
  • SALTO Systems — XS4 family + Neo Cylinder; 2019 ProAccess SPACE CVE cluster (fixed in 5.6). See /compatibility/salto-hotel-key-cards/.
  • Onity (Honeywell BA, planned Automation spin-off H2 2026) — HT / ADVANCE / integra / Trillium; 2012 Brocious. See /compatibility/onity-hotel-key-cards/.
  • MIWA — ALV2 / ALV3 / V3HTM + FeliCa IDm (Japan). See /compatibility/miwa-hotel-key-cards/.
  • Häfele Dialock — DT + WT + FT + EFL / LL; single-credential door + furniture + locker. See /compatibility/hafele-dialock-hotel-key-cards/.
  • Be-Tech — BASE / SHADOW / VISUAL / GUARDIAN. See /compatibility/be-tech-hotel-key-cards/.
Direct catalogue links
ASSA ABLOY-compatible hotel key cardsRFID keyfobs (staff zones)RFID readersRFID wristbands (resort all-inclusive)Hotel key cards (SKU procurement guide)All 7 vendor compatibility guides

Whole-property zone matrix — guest room, BOH, elevator, parking, amenity, conference

A hospitality access programme is at least seven distinct zones with different reader-class, credential-factor and policy requirements. The matrix below maps each zone to its operational baseline; single-vendor lock-PR pages never publish this comprehensively because each vendor focuses on the zones they sell into.

Zone Reader class Credential ADA mount Notes
Guest room door HF 13.56 MHz (ISO/IEC 14443A)MIFARE Plus EV2 SL3 or DESFire EV3Lock face height per fixturePrimary guest credential.
Club / executive floor HF 13.56 MHz (in-car elevator reader)Same card + elevator profileIn-car reader 34–48″ AFFCard unlocks elevator floor button.
BOH / staff-only doors HF 13.56 MHz + optional PIN keypadStaff card (separate site key)34–48″ AFFHigher-trust zone; PIN + card multifactor common.
IT vault / payment-processing room HF + biometric readerStaff card + finger/face (multifactor)34–48″ AFFPCI DSS-driven; logged access; 15-min session timeout.
Loading dock / receiving HF or UHF (long-range vehicle tag)Vendor / supplier cardAdjacent to roll-up doorOften tracks delivery vehicle by UHF tag.
Elevator lobby (destination dispatch) HF 13.56 MHz on KONE/Otis/Schindler PORT terminalSame guest cardTerminal-vendor specReader assigns destination car before entry.
Parking gate UHF 860–960 MHz (up to 5 m read range)Vehicle windshield tag or card-in-holderLane-side postLong-range gate trigger.
EV charger HF + RFID for billingSame guest cardADA + EV charger codeTied to room-charge billing flow.
Pool / spa HF 13.56 MHzSame guest card (amenity profile)Waterproof reader; lockable heightOften time-limited (resort hours).
Gym / fitness HF 13.56 MHzSame guest card34–48″ AFF; 24/7 access policySelf-service hours.
Kids' club / club floor lounge HF + photo-ID verificationCard + opt-in registrationAdult-supervised accessLiability + safeguarding policy.
Conference rooms / ballroom HF 13.56 MHz + temporary site keysEvent-issued temporary cardEvent-temp signage heightOften paired with event registration system.
Executive lounge HF 13.56 MHzSame guest card (elite profile)34–48″ AFFTier-based access; PMS-driven eligibility.

Elevator destination dispatch integration — KONE, Otis, Schindler PORT, Mitsubishi, Hitachi

Modern tower hotels rely on destination-dispatch elevator control rather than traditional up/down call buttons. The guest presents a credential at a lobby terminal; the system assigns an elevator car and shows the destination floor before the guest enters. RFID lobby readers + in-car readers integrate with the elevator vendor's destination-dispatch back-end. The first commercial destination dispatch system was Schindler Miconic 10 (1992); current systems are functionally similar but with much deeper RFID integration.

  • **KONE Destination** — RFID lobby reader writes destination request to KONE elevator back-end via TCP/IP integration. The reader can be HF 13.56 MHz contactless (most common for hospitality) or BLE mobile credential. Integration spec published by KONE; integration testing typically runs 2–3 weeks per property.
  • **Otis Compass / Compass360** — Otis's destination dispatch family. Compass uses lobby touchscreen + RFID; Compass360 adds mobile-credential support via Otis's eView mobile platform.
  • **Schindler PORT** — Schindler PORT (formerly Miconic 10) is the world's first destination-dispatch system (1992). Modern Schindler PORT terminals accept RFID hospitality credentials and Schindler's PORT 4D BLE mobile credential.
  • **Mitsubishi DOAS (Destination Oriented Allocation System)** — common in Asian tower hotels. RFID lobby reader + in-car reader integration; Mitsubishi DOAS-Net protocol.
  • **Hitachi DFRS / FIBEE** — Hitachi's destination-dispatch family; common in Japanese hospitality estates. Integration with MIWA hotel lock credentials is a common pairing in Japan-domestic deployments.
  • **Architecture pattern** — most hotels run a single RFID credential type (e.g., MIFARE DESFire EV3) that opens both the guest room door (via the lock-vendor reader) and triggers elevator destination dispatch (via the elevator-vendor lobby reader). The credential authenticates to both vendors' back-ends through a shared PMS integration.
  • **Test plan** — pilot the elevator destination dispatch credential round-trip end-to-end before scaling. Mismatch between the lock-vendor encoder writing the credential and the elevator-vendor lobby reader reading it is the #1 failure mode. Both vendors need to confirm credential format support.

Aliro 1.0 — unified Apple / Google / Samsung wallet digital key standard

Aliro 1.0 was published by the Connectivity Standards Alliance (CSA) in February 2026 as the unified standard for digital keys in mobile wallets across Apple, Google and Samsung. Before Aliro, every hotel-lock vendor implemented Apple Wallet, Google Wallet and BLE mobile keys via vendor-specific app integrations. Aliro standardises the credential format, the BLE / NFC / UWB transport, and the over-the-air credential delivery so that a single credential issued through the hotel's PMS can be delivered to any wallet platform without vendor-specific code.

  • **Why Aliro matters in 2026** — eliminates vendor-specific BLE app sprawl. A hotel chain with mixed Vingcard / Saflok / SALTO / Onity lock estates can issue one Aliro-compliant digital key from the PMS that works on Apple Wallet, Google Wallet, Samsung Wallet, and any first-party lock-vendor app.
  • **Transport layers** — Aliro supports NFC (existing physical-card tap experience), BLE (proximity unlock with no tap required), and UWB (Ultra-Wideband for precise proximity gating in high-end deployments).
  • **Apple alignment** — Apple HCE NFC in apps (iOS 17.4 EEA-only feature, expected wider rollout) aligns with Aliro 1.0 transport.
  • **Lock-vendor readiness** — Vingcard, Saflok, SALTO, Onity have all signalled Aliro support roadmap. Properties planning a 2026–2027 access refresh should specify Aliro-readiness in vendor RFPs.
  • **Physical card co-existence** — Aliro mobile keys complement, not replace, physical cards. ADA accessibility, mobile-device failures, walk-in guests without the property app, and front-desk override scenarios still require the physical card baseline. Plan a parallel card programme that uses the same RFID chip family.
  • **Procurement window** — 2026 is the vendor-selection and pilot year. 2027 is full-line rollout. 2028+ is the operational baseline with both Aliro mobile keys and physical cards in production.

Security update — four-vendor CVE timeline

Every major hotel-lock platform has had a public security disclosure of meaningful scale. Procurement teams running multi-vendor estates need to map remediation status across all four vendors, because the weakest-link CVE determines the property's actual access-control security posture. The table below is the comparative view that no single vendor will publish on their own product pages.

For multi-vendor estates: confirm remediation status with each vendor's service for every door in scope before scaling new card stock or running any access-control audit. A property with patched Saflok + unpatched Onity HT is only as secure as the unpatched Onity HT zone. Schedule cross-vendor remediation as a single workstream rather than per-vendor sequencing.

Separately, the **MIFARE Classic Crypto-1 cipher** is publicly broken across all hotel-lock vendors. New estates should standardise on MIFARE DESFire EV3 with AES-128 authenticated sessions; existing Classic estates should sequence DESFire EV3 migration windows. See `/solutions/hotel-key-cards/` for the card-stock procurement decision.

Disclosure Year CVE / advisory Affected scope Remediation
Onity HT-series Brocious 2012No public CVE assignedHundreds of thousands of HT-series locks globallyPort-shield kit + Torx + paid firmware update. Properties that never participated are still exposed.
Vingcard Vision F-Secure / Tuominen + Hirvonen "InsecureKeys" 2018F-Secure SA-20180424-0~140,000 hotels / 42,000 facilities / 166 countries (Vision back-end only — NOT Visionline)Patch shipped February 2018. Visionline + Vostio Access Management are not affected.
SALTO ProAccess SPACE 2019CVE-2019-19457 (stored XSS), 19458 (path traversal), 19459 (arbitrary file write / RCE), 19460 (web-server-as-SYSTEM)ProAccess SPACE ≤ 5.5 installationsFix delivered in ProAccess SPACE 5.6.
Saflok Unsaflok (Wouters + Carroll) 2024CVE-2024-299163+ million doors at 13,000+ properties in 131 countriesDoor-controller firmware update started November 2023. ~36% remediated at disclosure (March 2024).

OSDP Secure Channel — replacing Wiegand on new builds

The 1970s Wiegand reader-to-controller protocol is plain text, unencrypted and easily cloneable by a tap-on-wire attack. OSDP (Open Supervised Device Protocol) v2 with Secure Channel adds AES-128 mutual authentication between reader and controller. On a 2026 access refresh, replacing Wiegand readers with OSDP-v2-capable readers closes the wire-side attack surface that even a remediated lock + DESFire EV3 card stack leaves open.

  • **Wiegand vulnerability** — the reader sends card data to the controller in plain text over a two-wire interface. A tap-on-wire attack between reader and controller captures every credential without ever touching a card. Even when the chip is DESFire EV3 and the lock firmware is fully remediated, Wiegand on the back end is the weak link.
  • **OSDP v2 Secure Channel** — adds AES-128 mutual authentication between reader and controller. The reader and controller exchange a session key at start-of-session; all subsequent traffic is encrypted. Tap-on-wire attacks become useless.
  • **Migration strategy** — most properties on a Wiegand-based reader infrastructure can migrate to OSDP without changing the lock itself by replacing the reader head. New-construction hospitality projects should specify OSDP v2 + Secure Channel as the default; legacy estates should phase OSDP migration during the next access-control refresh cycle.
  • **SIA standards body** — Security Industry Association maintains the OSDP standard. SIA has published "There Is a Hole in the Boat" (November 2021) calling Wiegand insecure and recommending OSDP migration across the access-control industry.
  • **Dual-protocol readers** — many current readers support both Wiegand (legacy controller compatibility) and OSDP (forward-compatible). Procure these on a 2026 refresh so the property can migrate to OSDP back-ends without touching readers a second time.

PMS integration — Oracle OPERA Cloud, Mews, Apaleo, Cloudbeds, Sabre SynXis

The PMS connector decides whether an access-control programme operates as a single property-wide system or as a federation of vendor silos. Oracle OPERA Cloud's `roomKeysOutbound` action enum is the de-facto standard PMS integration interface across major hotel-lock vendors; each lock vendor exposes its own local encoding agent that bridges the cloud PMS to USB / Ethernet encoder hardware.

  • **Oracle OPERA Cloud** — integrate via `roomKeysOutbound` configuration with GUESTKEY_GENERIC outbound type. Supported actions: New / Duplicate / One-shot / Read / Delete key. Same shape across major hotel-lock vendor connectors. OPERA 5 (on-premise) supported via legacy serial interface.
  • **Mews** — Mews Open API integrates with Saflok, Vingcard, SALTO, Onity, Häfele Dialock and MIWA per published partner integrations. Requires vendor-specific connector (Saflok HMS, Dialock HMS, etc.) co-installed on front-desk PC.
  • **Apaleo** — listed as integration partner across Vingcard VConnect, Häfele Dialock, SALTO and others. Common for cloud-native independent and small-chain operators.
  • **Cloudbeds** — listed on Vingcard VConnect; documented integration with Saflok, SALTO and others.
  • **Sabre SynXis** — integration with hotel-lock vendors typically runs through SynXis Property Hub or SynXis Central Reservations connector to the lock-vendor back-end.
  • **Multi-property chain operations** — chains running multiple PMS deployments across properties standardise on the lock-vendor side (one connector per vendor) rather than the PMS side. Mixed PMS estates use the lock-vendor's back-end as the integration anchor.

CapEx + OpEx framing — 100-key vs 500-key vs 2,000-key property

Whole-property RFID access-control programmes have a well-understood cost shape. The table below gives indicative ranges for three property profiles; actual quotes vary by reader-class mix, encoder count, mobile-credential rollout scope and lock-vendor choice.

  • **Density discount** — per-door hardware + install cost drops roughly $200–500 per door at 70+ door scale due to amortised mobilisation and installer-day economics.
  • **Cloud-SaaS pricing** — typical $3.50–15 per door per month range covers Saflok Ambiance, Vingcard Vostio, SALTO KS at chain-negotiation tier. Property-by-property pricing tends higher.
  • **Mobile-key Aliro CapEx** — one-time integration with the PMS + lock-vendor mobile-credential back-end. After rollout, ongoing cost is bundled in the SaaS subscription.
  • **Annual maintenance** — typically 5–10% of per-door hardware cost for routine maintenance, battery replacement, firmware updates and warranty servicing.
  • **ROI consideration** — modern access-control hardware has 7–10-year service life. Total cost of ownership over 7 years amortises to ~$300–400 per door per year all-in.
Cost driver 100-key boutique 500-key full-service 2,000-key resort / convention
Per-door hardware + install (baseline) $1,700–2,500$1,500–2,200 (density discount)$1,200–1,800 (volume discount)
Front-desk encoder hardware $3,000–8,000 (1 encoder)$8,000–20,000 (2–3 encoders)$20,000–50,000 (4–8 encoders)
Back-end software (cloud SaaS) $3.50–15/door/month$3.50–15/door/month$3.50–15/door/month
Elevator destination dispatch RFID integration n/a (low-rise)$15,000–40,000 per elevator bank$30,000–80,000 per bank × multiple banks
Parking gate RFID (UHF) $5,000–15,000$15,000–40,000$40,000–120,000
Amenity-zone readers (pool / gym / spa / etc.) $8,000–20,000$20,000–60,000$60,000–200,000
Annual maintenance / replacement $300–800/door/year$300–800/door/year$300–800/door/year
Mobile-key Aliro rollout (one-time) $10,000–30,000$30,000–80,000$80,000–200,000

Compliance overlay — PCI DSS v4.0, GDPR, ADA, ISO/IEC 27001

Hospitality access control crosses four compliance regimes that intersect at specific control points. Treat the compliance layer as a procurement gate, not a post-hoc audit.

  • **PCI DSS v4.0** — triggered when amenity / POS spend flows through the PMS that issues access credentials. Named control of relevance: 15-minute idle session timeout (the only PCI DSS control with a specific time value). Reader-to-controller traffic on OSDP Secure Channel satisfies the encryption-in-transit requirement.
  • **GDPR (EU 2016/679)** — access logs are personal data when tied to guest identity. Article 32 mandates appropriate technical / organisational measures including retention limits; typical retention is 30–90 days for routine guest access, longer for staff and BOH zones. Document the retention policy in the privacy notice.
  • **ADA / ICC ANSI A117.1** — §308–309 specify operable-parts reach range 34–48 inches AFF (Above Finished Floor) for forward-reach and side-reach scenarios. Reader-mount height needs to fall in this range on all guest-accessible doors. The U.S. Access Board Chapter 4 also covers maneuvering-clearance overlap rules for door hardware.
  • **ISO/IEC 27001 / 27002** — Annex A controls A.7 (physical entry) and A.9 (access control) apply to the property's information-security management system. Hospitality chains pursuing ISO 27001 certification need documented procedures for credential issuance, revocation, periodic review and audit-log retention.
  • **CCPA (California Consumer Privacy Act)** — applies to California-resident guest access data. Similar controller / processor framework to GDPR.
  • **Industry-specific** — PCI DSS v4.0 is the only major framework with a specific named time-value (15-min idle timeout); ISO 27001 + GDPR are framework-level. Document the named PCI value in supplier RFP responses to distinguish from generic "compliance-friendly" claims.

Pilot validation checklist — whole-property test plan

A whole-property access-control pilot should exercise every zone, every reader class, every credential factor, every integration partner, and every compliance gate before scaling. Scaling without complete pilot validation produces predictable expensive retrofits.

  • **Per-zone validation** — test the credential on at least one door / reader from every zone in the matrix above. Mismatch between zones (e.g., room-door reader accepts DESFire EV3 but pool-area reader is still Classic-only) is the #1 cross-zone failure mode.
  • **Elevator destination dispatch end-to-end** — validate the round-trip from PMS → lock-vendor encoder → elevator-vendor lobby reader → car assignment → in-car reader (for club-floor gating). Both lock vendor and elevator vendor need to confirm credential format compatibility.
  • **CVE remediation confirmation** — for every lock vendor in scope, confirm remediation status with vendor service. Saflok CVE-2024-29916, Vingcard Vision 2018, SALTO 2019 cluster, Onity HT 2012 each need explicit confirmation.
  • **Aliro mobile credential** — pilot the Apple Wallet + Google Wallet + Samsung Wallet credential delivery flow if mobile keys are in scope. Confirm BLE proximity behaviour at expected reader sites.
  • **OSDP v2 Secure Channel validation** — if migrating from Wiegand, confirm OSDP Secure Channel handshake on each reader-controller pairing.
  • **PCI DSS / GDPR / ADA compliance** — exercise the 15-minute idle timeout; verify reader-mount height with tape measure (not eyeball); confirm access-log retention is set per policy.
  • **100-200 credential pilot batch** — produce a pilot batch of 100–200 cards (or BLE credentials) and exercise full PMS round-trip (issue / extend / replace / cancel) on live reservations before scaling to full property.

Useful next pages

Use these linked product, guide and comparison pages to keep the next click specific and practical.

Access-control catalogue + adjacent solutions

Card SKUs, keyfobs, wristbands and reader products for the whole-property programme.

ASSA ABLOY-compatible hotel cards RFID keyfobs (staff zones) RFID readers RFID wristbands (all-inclusive resort) Hotel key cards (SKU procurement) RFID keyfob access control

Vendor compatibility guides

Per-vendor compatibility detail for the seven major hotel-lock platforms.

Saflok compatibility Vingcard compatibility SALTO compatibility Onity compatibility MIWA compatibility Häfele Dialock compatibility Be-Tech compatibility

Related editorial

Background reading on hotel access-control architecture.

How hotel RFID key cards work Hotel key card encoding explained RFID elevator floor access NFC door locks & RFID cards

FAQ

How do I design a hotel access-control system across all the zones in a whole property?

Map every zone to a reader-class + credential-factor combination. The matrix above lists 13 typical zones (guest room, club floor, BOH, IT vault, loading dock, elevator lobby, parking gate, EV charger, pool, gym, kids' club, conference rooms, executive lounge) with the recommended reader class (HF 13.56 MHz for doors and amenity zones; UHF 860–960 MHz for parking and EV charger long-range) and the credential factor (card-only, card + PIN, card + biometric for IT vault). One physical card should resolve to all the zones the guest is entitled to use; PMS-driven profiles control which zones the card opens. Plan the elevator destination dispatch integration as a separate workstream because it crosses two vendors (lock + elevator).

How does RFID elevator destination dispatch work?

Most modern tower hotels run destination-dispatch elevator control: the guest presents an RFID credential at a lobby terminal (KONE Destination, Otis Compass, Schindler PORT, Mitsubishi DOAS, Hitachi DFRS). The terminal reads the card, queries the destination floor from the PMS via the lock-vendor back-end, assigns an elevator car, and displays the car letter / number to the guest. The guest walks to the assigned car; some systems also have an in-car reader for club-floor gating where only the elevator stops at certain floors are allowed without a credential. Schindler PORT (originally Miconic 10, 1992) is the world's first destination-dispatch system; modern systems are functionally similar but with deeper RFID and BLE mobile-credential integration. Integration testing typically runs 2–3 weeks per property; both lock vendor and elevator vendor need to confirm credential format compatibility.

What is Aliro 1.0 and when should we plan for it?

Aliro 1.0 is the Connectivity Standards Alliance (CSA) unified standard for digital keys in mobile wallets across Apple, Google and Samsung, released February 2026. Before Aliro, every hotel-lock vendor implemented Apple Wallet, Google Wallet and BLE mobile keys via vendor-specific app integrations. Aliro standardises the credential format and the BLE / NFC / UWB transport so one credential issued through the hotel PMS works on every wallet platform. Vingcard, Saflok, SALTO and Onity have all signalled Aliro support roadmaps. 2026 is the vendor-selection / pilot year; 2027 is full-line rollout; 2028 is operational baseline. Physical cards remain the baseline for ADA / mobile-device-failure / walk-in-without-app scenarios.

Should we worry about CVE-2024-29916 (Saflok) and the Vingcard / SALTO / Onity CVEs in a 2026 procurement?

Yes — every major hotel-lock platform has had a public security disclosure of meaningful scale. Saflok CVE-2024-29916 (March 2024) affected 3+ million doors at 13,000+ properties in 131 countries; remediation requires a door-controller firmware update that dormakaba began shipping November 2023. Roughly 36% were remediated by disclosure. Vingcard Vision 2018 F-Secure disclosure (~140,000 hotels; patched Feb 2018; Visionline and Vostio NOT affected). SALTO ProAccess SPACE 2019 CVE cluster (CVE-2019-19457/19458/19459/19460; fixed in 5.6). Onity HT 2012 Brocious (no formal CVE; port-shield + firmware kit). For multi-vendor estates, the weakest-link CVE determines the property's actual security posture — map remediation status across every vendor before adding card stock or running an audit.

What is OSDP v2 Secure Channel and why does it matter for hotel access control?

OSDP (Open Supervised Device Protocol) v2 with Secure Channel replaces the 1970s Wiegand plain-text reader-to-controller protocol with AES-128 mutual authentication. Wiegand is plain text on the wire between reader and controller — a tap-on-wire attack captures every credential without ever touching a card. Even a remediated lock running DESFire EV3 cards is only as secure as the Wiegand wire. OSDP Secure Channel encrypts the reader-controller exchange and closes this attack surface. New-construction projects should specify OSDP v2 + Secure Channel as the default; legacy estates should phase OSDP migration during the next access-control refresh. Dual-protocol readers support both Wiegand (legacy controllers) and OSDP (forward-compatible).

What ADA / accessibility constraints apply to hotel reader siting?

ICC ANSI A117.1 §308 (forward reach) and §309 (side reach) specify operable-parts reach range 34–48 inches AFF (Above Finished Floor). Reader-mount height on guest-accessible doors needs to fall in this range. The U.S. Access Board Chapter 4 covers maneuvering-clearance overlap rules for door hardware. For lock-face readers (typical hotel guest room), the reader is integrated into the lock fixture and follows the lock-vendor's published mounting spec. For wall-mounted readers (elevator lobby, BOH, amenity zones), the 34–48-inch AFF range is the procurement target; document this in the supplier RFP response.

How does PCI DSS v4.0 affect a hotel access-control programme?

PCI DSS v4.0 is triggered when amenity / POS spend flows through the PMS that issues access credentials. The named control of operational relevance is the 15-minute idle session timeout — the only PCI DSS control with a specific named time value. Reader-to-controller traffic on OSDP Secure Channel satisfies the encryption-in-transit requirement; access logs must be retained per PCI logging policy. Document the named 15-minute value in supplier RFP responses to distinguish from generic compliance claims. For properties where PMS spend tracking is fully decoupled from access-credential issuance, PCI DSS scope may be reduced; consult the property's QSA on scoping.

What is the typical CapEx for whole-property access control across 100 / 500 / 2,000 keys?

Per-door hardware + install runs $1,700–2,500 per door at 100-key boutique scale; $1,500–2,200 per door at 500-key full-service (density discount); $1,200–1,800 per door at 2,000-key resort / convention (volume discount). Front-desk encoder hardware: $3,000–8,000 (1 encoder, 100-key) to $20,000–50,000 (4–8 encoders, 2,000-key). Back-end cloud SaaS: $3.50–15 per door per month. Elevator destination dispatch integration: $15,000–40,000 per elevator bank. Parking gate UHF: $5,000–120,000 depending on scale. Amenity-zone readers: $8,000–200,000. Annual maintenance: $300–800 per door per year. Mobile-key Aliro rollout one-time: $10,000–200,000. Total cost of ownership over 7-year service life amortises to ~$300–400 per door per year all-in.

How do we handle a mixed-vendor lock estate (Saflok + Vingcard + SALTO across multiple properties)?

Three patterns work. (1) Single-credential-across-vendors — issue one MIFARE Plus EV2 SL3 or MIFARE DESFire EV3 SKU that reads on every vendor's current reader heads. Limit: older Vingcard E100 / C100 readers don't accept DESFire EV3, so this works only when all vendors are on current reader-types. (2) Per-vendor card stock with PMS as the integration anchor — issue Vingcard SKU for Vingcard properties, Saflok SKU for Saflok properties, SALTO SKU for SALTO properties, all managed through one chain-level PMS connector. Higher card-stock complexity but maximum compatibility. (3) Aliro mobile credential as the unifier — once Aliro 1.0 is rolled out across all vendors in 2026–2028, the same mobile credential works on every vendor's reader. This is the medium-term path for chains with three-plus vendor estates.

Sources & references

Primary standards, OEM datasheets and regulatory documents cited by this article. All URLs were verified on the access date shown below.

  1. CVE-2024-29916 — NIST NVD (Unsaflok)NIST NVD · Mar 1, 2024 · accessed May 11, 2026

    Saflok master-key forgery vulnerability — 3M+ doors, 131 countries; ~36% remediated at disclosure.

  2. Unsaflok researcher disclosure siteWouters / Carroll et al. · Mar 21, 2024 · accessed May 11, 2026

    Primary technical disclosure. November 2023 firmware fix rollout.

  3. Wired — Hackers Found a Way to Open Any of 3 Million Hotel Keycard LocksWired (Andy Greenberg) · Mar 21, 2024 · accessed May 11, 2026

    General-press authority for Unsaflok scale figures.

  4. Wired — One-Minute Attack Let Hackers Spoof Hotel Master Keys (Vingcard Vision)Wired · Apr 1, 2018 · accessed May 11, 2026

    F-Secure Vingcard Vision disclosure — 140,000 hotels affected.

  5. Schneier on Security — Vingcard Vision security vulnerabilityBruce Schneier · Apr 1, 2018 · accessed May 11, 2026

    Independent expert analysis of the Vision attack.

  6. CVE-2019-19457 — NIST NVD (SALTO ProAccess SPACE)NIST NVD · Dec 1, 2019 · accessed May 11, 2026

    Stored XSS in ProAccess SPACE ≤ 5.5 — fixed in 5.6.

  7. SEC Consult — SALTO ProAccess SPACE advisorySEC Consult · Dec 2, 2019 · accessed May 11, 2026

    All four SALTO CVEs in one disclosure.

  8. Cody Brocious — DEF CON 20 talk (Onity HT-series, 2012)DEF CON · Jul 1, 2012 · accessed May 11, 2026

    Original Onity HT-series disclosure — no public CVE assigned.

  9. Aliro 1.0 specification release (MacRumors coverage)MacRumors · Feb 26, 2026 · accessed May 11, 2026

    Aliro 1.0 CSA release — unified Apple / Google / Samsung digital-key standard.

  10. CSA Aliro working groupConnectivity Standards Alliance · accessed May 11, 2026

    Authoritative Aliro programme reference.

  11. Schindler PORT destination dispatch (elevator)Schindler · accessed May 11, 2026

    World's first destination-dispatch system (Miconic 10, 1992); current PORT terminals accept RFID hospitality credentials.

  12. Otis Compass destination dispatchOtis Elevator Company · accessed May 11, 2026

    Compass / Compass360 family with RFID + mobile credential support.

  13. KONE Destination control systemKONE · accessed May 11, 2026

    KONE Destination integrates with hotel RFID lobby readers via TCP/IP.

  14. AMAG Elevator Destination Dispatch whitepaperAMAG / Allied Universal · Dec 1, 2023 · accessed May 11, 2026

    Multi-vendor (KONE / Otis / Schindler) destination dispatch integration architecture.

  15. Destination dispatch — WikipediaWikipedia · accessed May 11, 2026

    Industry timeline — Miconic 10 (1992), Compass / Polaris (2005).

  16. SIA — Open Supervised Device Protocol (OSDP) pageSecurity Industry Association · accessed May 11, 2026

    OSDP v2 AES-128 Secure Channel reference.

  17. SIA — There Is a Hole in the Boat (Wiegand → OSDP migration)Security Industry Association · Nov 9, 2021 · accessed May 11, 2026

    Industry-body case for migrating away from Wiegand to OSDP Secure Channel.

  18. NIST SP 800-116 Rev 1 — PIV Credential Use in Facility PACSNIST · Jun 1, 2018 · accessed May 11, 2026

    Reference framework for physical access-control credential design.

  19. U.S. Access Board — Chapter 4 (Entrances, Doors, and Gates)U.S. Access Board · accessed May 11, 2026

    ADA reach-range and maneuvering-clearance requirements for hotel reader mounting.

  20. Oracle OPERA Cloud roomKeysOutbound configurationOracle · accessed May 11, 2026

    GUESTKEY_GENERIC outbound type with New / Duplicate / One-shot / Read / Delete action enum.

  21. Apple Developer — HCE NFC in appsApple · accessed May 11, 2026

    iOS HCE NFC support for hotel-key applications.

  22. CNBC — Apple and Google Wallets want to make hotel room key cards obsoleteCNBC · Sep 1, 2024 · accessed May 11, 2026

    Mainstream press validation of the mobile-wallet hotel-key trend.

10+ Years RFID Manufacturing
ISO 9001 Certified Factory
500+ Enterprise Clients
50+ Countries Served

Proud Tek is a Shenzhen-based RFID & NFC manufacturer supplying hotel chains, transit operators, event venues and retail brands worldwide. Every order includes free samples, RF testing and dedicated project support.

Get a Quick Quote

Tell us about your project and we'll respond within one business day. Fields marked (asterisk) are required.

We'll only use this to reply to your inquiry.
Optional, but helps us route your inquiry faster.
e.g. 5,000 pcs
e.g. hotel, event, asset tracking
Chip preference, timeline, special requirements...

Next step

Ready to discuss your project?

Use the contact route when you are ready for pricing, samples, or compatibility help, or continue into the linked product and comparison pages below.

Get a whole-property access control plan ✉ Email inquiry directly Browse vendor compatibility guidesHotel key cards (SKU procurement)Compare chip families