The music business long has used show tickets as currency for friends and industry contacts - usually they are some of the best tickets in the house. Most time these days they aren’t free - “no comp” tours are the norm. If you are “privileged” enough to be invited from the tour, often you are asked to fill out a form and fax it or email it with your personal and credit card information. And the good folks from the tour who process these forms have no idea that they are conducting millions of dollars of commerce in probably the most risky and non-compliant method imaginable, putting them, their VIPs, and their credit card processor at great risk for fraud, fines, and other compliance issues.
But VIP ticketing for tours is not subject to PCI regulations, right? Not on your life. According to Eric Drago, a Portsmouth-based NitroSecurity, a security information and event management solutions company, tours processing VIP tickets are subject to compliance rules:
“Any entity that stores, processes or transmits payment card data, must be in compliance with the PCI Data Security Standard (PCI DSS), or risk fines and losing its ability to process credit card transactions. PCI compliance isn’t limited to those businesses conducting sales through an e-commerce Web site. If your business collects credit/debit card data written on paper, or holds credit/debit cards then PCI compliance applies to your business as well.”