There are two ways to do this:

One way involves reprogramable cards and readers that expect cards in a certain sequence. The hotel programs the card for the next one in that reader’s sequence and when it’s used the old one is deactivated. This is the less expensive option and the one used by most hotels.

The other way – and the one I’m more familiar with from work – uses pre-programed cards and a server with a database of which cards are allowed to open which doors. It’s a simple matter of reading in the new card and deactivating the old one in the database. While this option is more expensive it is also, in theory at least, more secure. Plus preprogrammed cards are less expensive than reprogramable ones, so while the up front cost is more it’s probably less expensive in the long run, especially for a hotel, where they can expect to go through a lot of cards.

Simply put… You don’t program the card you just let the lock know what card to expect.

Imagine there are only 100 cards in the world numbered 1-100. When you check in you are given card #8 and the front desk computer tells the lock at your room to accept card #8.

If you lose it, the front desk computer says “forget #8 only take #55 now”

Hotel receptionist here (Even now I’m at work)
It’s not very ELI5 but I don’t know how to simplify it.

All doors have a battery-operated microchip that has its own “name” (namely room number)

A room card is basically a really dumbed down contactless debit card on its inside. We program in the room number and checkout date on a programmer so your card stops working after your stay (so you couldn’t freeload). The microchip is more or less smaller programmer on read-only. When you put your card near the door, it reads if the card is for its room and if the date is valid. If everything is in order, it opens the door.

Now, say you lost your door card. We make you a new one. How does it know if the old ones are obsolete and shouldn’t open the door to them?

Technician told me every card has ID and you disable the old ones by telling the microchip with the new card “HEY, I’m the new card, old one is made obsolete, they overrode it sooo don’t let it in”.

TL;DR The new door card tells the door to not let the old card in.

Each card has a unique identifier, usually a magnet or rfid tag embedded in the card. It works sort of the same as a bluetooth pairing. The cards require no power, but once inserted into a lock the lock just reads the interference from the magnet on the card. If the card has a rfid module then it just needs to come in proximity. The lock emits a constant pulse or radio frequency that in turn energizes the rfid module and it transmits it’s information back to the lock.

The concierge only has to manipulate the pairing of your card and lock from a computer terminal. They can either deny or grant you permission based on the specific ID of your card. It works exactly like any modern credit card.

Currently working in a hotel. Front Desk make you a new key, you bring it in and insert/ swipe the lock.
Lock is now only remember the new key, old key is forgotten. FD can make as many duplicates of the new key as they wish.
Keys can be programmed to expired on the check out date, or certain rooms/ floors, etc

I’ve actually built and designed a few of these systems (one for multifamily apartments, one for hotels). The basic approach I used in both was a small amount of onboard memory on the lock.

There are a number of “passes” defined (maintenance/cleaning, floor-level, admin, tenant/guest, etc). Some locks are connected over WiFi or zwave/ZigBee, or even through a cable running through the door frame + hinge. Upon scanning a card, the lock either checks the onboard memory or asks the server for validity. There are tradeoffs to both, but I will leave those out.

When the front desk issues a pass, they can also deactivate old passes, duplicate cards, etc. Then the connected lock receives the update and begins to reject the old card. This is the same mechanism used to extend a stay or check out early.

Some off the shelf systems utilize a programming “gun” with an authorization key. That key gets scanned at the door and then the gun updates the onboard memory. This is low sophistication but also works for disconnected systems or after power outages.

EDIT: proof. https://imgur.com/a/JF7sivR

In that case, how do they make the card valid only up to a certain time on your checkout day? And then extend it for example, to 3pm or something like that?

I can actually answer this one, I did roomcard installation and training for hotels a good while back.

The swiped cards have a few different things built-in as part of the identity stripe they program into each card.

Every time your card is created, there’s a space in the magnetic band/RFID feedback that has:

* Your room number
* Duration of validity
* Is this a new assignment

When you first get your key, your key will have the option for ‘new assignment’ turned on. The moment it swipes into the lock, the lock sees the flag and goes ‘oh, this is my new master key now and it will be valid for ‘this long”. Each time a ‘new assignment’ key is swiped in, the old data gets over written in favor of the new key’s identity. This is how basic access control is done.

If the front desk needs to make a copy, they can make a copy without turning on the ‘new assignment’ flag.

Once the assignment expires, the keys are no longer valid and the lock will sit as-is until the next ‘new assignment’ is swiped.

You have card I’d 00002 and card I’d 00003.

They set room 52 to open on card 00002 , you loose 00002, they just tell door 52 to not open on card 00002 and open on card 00003.

When I worked at a student ID office, the mag strip on the card had an ID number plus a rotating digit that started at zero. If we made a replacement card, we printed a new one with a “1” digit. We then updated our system software so that only the “1” card would work.