Hyatt, Sheraton, Marriott and Westin hotels in 10 US states and the District of Columbia may have been targeted by hackers for months, operator HEI Hotels & Resorts said.
Malware put into place in at least 20 locations may have collected names, card account numbers, card expiration dates and verification codes, according to HEI.
Data from customers may have been collected from early December through to late June.
At some properties, HEI said, data collection may have begun as early as March 2015 at hotel locations where people bought food or drinks.
HEI said in a statement: "We are treating this matter as a top priority, and took steps to address and contain this incident promptly after it was discovered."
The firm said that once it found out about the problem it transitioned payment card processing to a standalone system that is completely separate from the rest of its network.
It disabled the malware and is in the process of reconfiguring various components of its network and payment systems to make them more secure.
The company said it is continuing to co-operate with the law enforcement investigation and co-ordinating with banks and payment card companies.
Anyone who used a card at HEI hotels in the given timeframe should review their account statements and look for discrepancies or unusual activity, both over the past few months and going forward, the company said.
Customers who notice anything out of place should contact their credit or debit card issuer.
The company said the breach has been contained and customers can safely use cards at all of its properties.