The reason why they are stored are because hotels need a way to 'guarantee' the booking. This means if you don't turn up they can still charge you for (e.g.) the first night of your trip. A pre-authorization wouldn't work as these typically only last for 30 days, and as I understand can still be declined in some cases. I assume hotels would prefer to use their own credit card terminal, vs Booking.com et al as they get better rates, so even charging for the first night wouldn't be great. I'm not saying this is right, but there are good reasons behind it.
Unless you are a credit card ISSUER, there are no good reasons for storing CVV numbers and it’s actually PCI non-compliant. Do not do this, the fine is high and per CVV stored. Don’t even store these in logs.
Disclaimer: I work for one of the biggest OTA's in the world, precisely in the accommodation area.
You are describing what could be a reason to keep those CC details but definitely there are other ways to do it, including delegating vaults to third parties.
This is a major fuck-up and there's no way to sugar coat it, I'm afraid.
There might be reasonable issues but still it does not look compliant with credit-card processing rules to me. I hope they have some exception in their contracts or someone upstream is going to put them out of business with lawsuits and bans.
