PCI Compliance Woes on the Road
FRAUD, FINES, AND OTHER COMPLIANCE ISSUES.
The music business long has used show tickets as currency for friends and industry contacts - usually they are some of the best tickets in the house. Most time these days they aren’t free - “no comp” tours are the norm. If you are “privileged” enough to be invited from the tour, often you are asked to fill out a form and fax it or email it with your personal and credit card information. And the good folks from the tour who process these forms have no idea that they are conducting millions of dollars of commerce in probably the most risky and non-compliant method imaginable, putting them, their VIPs, and their credit card processor at great risk for fraud, fines, and other compliance issues.
But VIP ticketing for tours is not subject to PCI regulations, right? Not on your life. According to Eric Drago, a Portsmouth-based NitroSecurity, a security information and event management solutions company, tours processing VIP tickets are subject to compliance rules:
“Any entity that stores, processes or transmits payment card data, must be in compliance with the PCI Data Security Standard (PCI DSS), or risk fines and losing its ability to process credit card transactions. PCI compliance isn’t limited to those businesses conducting sales through an e-commerce Web site. If your business collects credit/debit card data written on paper, or holds credit/debit cards then PCI compliance applies to your business as well.”
“PCI compliance isn’t limited to those businesses conducting sales through an e-commerce Web site”
A Wall Street Journal article stated that over 80% of credit card breaches occur at small businesses and that Visa levied over $3.3MM in fines in one year. The article also discusses a case study of a Lodi Beer, a small California micro-brewery. When their data was breached, Visa and MasterCard fined Abanco, the restaurant’s merchant account provider, $27,000. Abanco then in turn passed that fine onto the restaurant. In addition to the fines, this merchant has spent over $50,000 in remediation costs, legal fees, upgrades, etc. That is a huge amount of money for a small business.
The Rules
There are 12 requirements for compliance - what are some them?
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
Processing VIP ticket requests with forms (Excel, Word, PDF) that must be unsecurely faxed or e-mailed THEN printed out, physically distributed, with no systematic way of disposing of the information violates all of the 12 requirements. (Some tours even ask for copies of driver’s license and the physical card.) All it takes is one complaint and your whole operation is at risk. One mishandled e-mail and you have someone stealing the singer’s wife’s sister’s ID.
Once a merchant is even suspected of a breach, a team of PCI-DSS certified forensics security examiners swoops in to review and inspect its business practices. This examination can take anywhere from a few days to several weeks, depending on the complexity of the systems involved. The cost of a data breach for a Level 4 merchant (small business) averages $36,000 and can be as high as $50,000.
We provide a PCI compliant solution to combat this - Live Access. VIP’s ticket requests are conducted securely and safely on-line - we encrypt all sensitive information (personal and credit card info) and password protect each user’s account.
The Live Access ticketing system was designed to handle VIP ticketing. It takes the headache out of collecting requests, responding to them promptly, approving them, and finally charging for them. We attend lots of events that don’t use our system and just scratch our heads why tours choose to take on this risk and process transactions with paper and e-mailed forms. If you don’t use a system like this, then at least be familar with the risks and regulations by checking out information like this from Visa for what you need to do if your data is comprimised.
Reader Comments