> I believe it's then up to the receiver of the fax to physically secure it.
Yes, I get it. Once you fax it to the hotel, it's not your problem. But how does it make things any better for me? You are still PCI compliant, but the customer now has his info passed to a random hotel clerk.
I think you might be making the implicit assumption that this is somehow shady or out of the ordinary when it comes to credit cards.
When you hand your credit card over to any clerk anywhere you're giving them access to your name and credit card number. If you hadn't booked through an OTA your credit card number would have likely been manually written down anyway on a piece of paper by the clerk at the desk.
All of this is PCI compliant, in order to process payments at all the hotel has a contract with the credit card company (or a local bank by proxy) which stipulates that they have to adhere to the relevant PCI standards.
Could this be more secure? Of course it could. But credit cards were never meant to be secure. They explicitly take convenience and the ability to do offline payments (writing down your credit card number for later) over security. If anything goes wrong they'll use some of the money they get from transaction fees to refund fraudulent payments.
Yes, I get it. Once you fax it to the hotel, it's not your problem. But how does it make things any better for me? You are still PCI compliant, but the customer now has his info passed to a random hotel clerk.