Tag: event technology

How to Make Sure Your Event Emails Don’t Get Marked as Spam

Posted on by Eventsforce

Untitled design (19)When social media first started to make its impact in the events industry, many felt that email would no longer be the marketing powerhouse it once was.  But we are now in 2016, and email marketing is as strong as it ever has been.  In fact, it remains a top priority for organisations with nearly 72% planning to spend more time on email production and more than 80% reporting to increase their email marketing budgets over the next year1.

Like it or not, emails still remain the most effective marketing tool for your events today. It lets you reach out beyond the constraints of your event website or app and into your delegates’ personal space. It is also a very controlled experience where you, as the event planner, can decide everything from what it looks like, what time it shows up, the call to action and what kind of personalised content to use.  More importantly, it is measurable. You can analyse things like open and click-through rates and measure each campaign for its effectiveness.

But with more than 20 percent of legitimate marketing emails never reaching the recipient’s inbox, what steps should event planners take to ensure the successful delivery of their email campaigns? In 2015, spam messages accounted for 53% of email traffic worldwide2 and as a result, email providers have raised the standards for filtering which emails are sent to junk mail folders.

Your delegates’ mail servers and applications use different ways of ‘scoring’ each mail – if the score is too high, then your email invitation, for example, will be classified as spam and may not be delivered to your delegate.  The problem is that each spam filter works a bit differently and ‘passing’ scores can vary.  Your email invitation could pass through one delegate’s spam filter, but get flagged by another’s as junk. Spam filters can sometimes even synch up with each other to share what they’ve learned and this will also affect the variability of your spam score.

Unfortunately, there is no fool-proof formula in addressing this as filtering criteria is constantly growing and changing. There are, however, some basic steps you can take that will help you reduce your email spam score:

Check Your Email Settings & Configuration tin can

Your delegate email servers are likely to reject your event emails when the address of your sending server doesn’t match the sender address on the email.  So you may be using your registration software’s mail server (eg. info@eventtech.com) to send out your email invitations but the ‘sender’ address on the email that appears in your delegate’s inbox is registrations@myevent.com.

To solve this problem, contact the person or organisation that manages your domain – in this case, myevent.com – and ask them to add ‘eventtech.com’ to the SPF record (Sender Policy Framework) for that domain. This tells your delegates’ servers that eventech.com is allowed to send emails on your behalf.

Want to be a tech savvy event planner? Sign up to the weekly EventTech Talk newsletter here and get weekly updates on the latest technology trends, discussions and debates shaping the events industry today.

Whitelisting

It is possible to stop emails being rejected by your delegates’ servers by adding your mail server to a ‘whitelist’ on their servers.  This can help if you are targeting individuals from one particular organisation (internal employees) or those delegates using public mailbox providers, such as Gmail or Yahoo Mail.  The process, however, does require making changes to email servers that are normally outside your control.  It also stops working if the address of your sending server ever changes.

Do You Have a Good Sender Reputation?

The delivery rate of the email marketing campaigns you do around your events relies heavily on your sender reputation.  Internet Service Providers (ISPs) consider sender reputation as the most important factor in determining whether or not to block certain emails. It’s something you need to keep a constant eye on as it can fluctuate from one email campaign to another. Make sure you have a double opt-in strategy to ensure your delegate list is healthy and engaged, with clear unsubscribe links which will dramatically reduce any spam complaints.  There are websites than can help you measure and monitor your sender reputation, like Sender Score and SenderBase3.

Avoid Purchased and Rented Delegate Lists iStock_000067308713_Double

As tempting as it is to grow the potential delegate list for your event, purchased lists are not best practice when it comes to sender reputation. More often than not, they are riddled with dead emails and spam traps, which can mislead mailbox providers that you break the rules by sending unsolicited emails.  Your emails will end up in junk folders or you may be branded as a spammer.

Sending to a list that hasn’t given you permission can also impact your ability to market your event, potentially damage your brand and even have legal implications.  Instead, allow your delegate list to grow organically. Give delegates the option to sign-up to your list when they register for an event – this way, you can ensure that they get all email communications from your organisation for all your events.

Don’t Forget: Content is King

Spam filters look into your email content. An email containing only a clickable link that takes your delegate to the event registration page, for example, is likely to be marked as spam.  Adding some descriptive text to your email will help to avoid this.  Make sure you have informative content about your event and try to limit the use of what these filters consider as risky words, such as ‘free’, ‘buy’, ‘order’, ‘purchase’ and ‘promo’.  Also, do not capitalise your ‘from’ address or subject line and generally avoid using capitalisation and exclamation marks in the body of your email message, as these will all have a negative impact on your spam score.

Read: Top Subject Lines For Your Event Email Campaigns

Balance your image-to-text ratio – Mail Chimp recommends a ratio of 80% text to 20% images. Emails with lots of images or large images and not much text will get a high spam score. Avoid linking to images that are held on another sever as you’re better off uploading pictures into the email itself.  If you are going to use links, make sure your images are hosted at credible services only as this will also have a negative impact on your spam score.

Check Your ‘From’ Details

Your delegates’ mail servers check more than your domain and content, with some putting particular attention to your ‘From’ address.  Try and avoid frequent changes to your ‘from’ address as this will impact your spam score.  When sending invitation emails for your events, ask your delegates to add your ‘From’ address to their address books. This way you can avoid all future email communications with that delegate from ending up in the spam folder.

Lastly, try and avoid using vague field names in your address, such as ‘noreply@myevents.com’. Instead, use clear, trustworthy names such as ‘registrations@myevents.com’ or ‘contact@myevents.com’.  Stick to a limited number of these names and build a good reputation for these addresses by sending engaging emails and you will notice a difference.

Test Your Email ‘Spamminess’                            

Brandon Checketts have a tool which can be used to test the ‘spamminess’ of your email content and the configuration of your account. You can try this for yourself here.

Written by Lynda Browne, Client Loyalty Manager, Eventsforce

If you would like to learn more about what Eventsforce has to offer, take a look at a few other blog posts listed below or get in contact with out friendly team.

Call us on 0207 785 6997 or get in touch here.

1 2016 Email Marketing Insights Study (Email on Acid – Nov 2015)
2 Statista: Global email spam rate from 2012 to 2015
3 Marketing Land: Email Deliverability issues?

5 Easy Ways of Securing Your Event Data

Posted on by Eventsforce

Untitled design (17)Data security is increasingly becoming top of mind and making headlines as it continues to impact businesses around the world. Just about every week, there is a fairly major cyber-security event that gets talked about in public – and there are many more that don’t get talked about. It is a major problem for any organisation that has valuable information to protect (which means most companies these days) – especially for those involved in the world of events.

We have talked a lot about the issue in the last couple of months, addressing things like the kind of data security questions you should be asking your event management solution provider and some of the considerations you need to take when dealing with delegate card payments.  Most event planners will also be following their own organisation’s security policies when it comes to storing and sharing event data – from communication procedures to firewalls, encryption and anti-virus software.

However, while IT focuses on outside threats, there is also an element of risk lurking from within.  Over 40% of data loss1 is the direct result of internal threats which come about from staff mishandling data – whether intentional or unintentional. In fact, our event data security study exposed a number of important vulnerability areas – like staff password hygiene, email communications and data storage –  that event planners should be putting greater attention in order to prevent data from getting into the wrong hands.

Have a look at the following best practice guidelines that can greatly improve security around your event and delegate data:

Don’t Put Anything in Email That You Wouldn’t Put on a Postcard

ID-100354956Email communications is one area of vulnerability. Our study found that 65% of respondents emailed their event data (attendance reports, registration lists, invoice reports) to third parties or other departments within their organisation after downloading the information from the event management systems. Another 36% admitted to having emailed their API key – a form of authentication that allows third party systems like event apps to access data saved in your event management systems.

The truth is that it is difficult and cumbersome to encrypt data in emails from end to end – so you should always think about what you are sharing on email.  Check before sending that you have the right recipients and encrypt data within if necessary. If you don’t need to email it, don’t.  For example, when confirming registration details with your delegates, don’t include all their details within the body of the email but instead, include a personalised link that will lead them directly to their registration page on your event website. Equally, never email your event system API key(s) to ANYONE as this could expose your data to anyone who has access to this key.  If you need to share it, do so over the phone.

Be Smart About Your Passwords

Data SecurityMore than 500 million records of login names, passwords and other ID information went astray in the last 12 months, according to a report this week by security firm, Symantec2. It sounds pretty obvious but you would be surprised with the number of people that ignore the importance of passwords. Our survey found that over 80% of event planners don’t change their event management system passwords as often as they should (less than once a year). Another 33% claim to have shared their passwords with other people.  This widely increases the risk of breach and makes it difficult to accurately identify who has access to the system at any given point in time.

Using strong passwords, NOT sharing them and changing them once every three months can greatly improve security around your event data.   The problem is that the human brain can only remember so many passwords, not to mention we’re actually really bad at picking good ones. So, too often we just reuse passwords across multiple sites. This is an issue because so many of us use the same password for our work and personal accounts like Facebook, Google and online banking.  Be creative: think of a special phrase and use the first letter of each word as your password. Substitute numbers for words or letters. For example, “I want to see the Eiffel Tower” could become 1W2CtEt.

Another solution is to use a password manager, a software tool for computers and mobile devices, which will pick random, long passwords for each site you visit, and synchronise them across your many devices. Two popular password managers are 1Password and LastPass.  You can also use a Single Sign-On (SSO) system, which allows you to control access to your event management software using your authentication servers (e.g. Microsoft Active Directory) – so passwords are never submitted to your event system and access can be controlled centrally by your organisation. If someone from your team leaves their job, then their access to all systems can be cut off from one place.

Share Only What is Necessary

The study also revealed that an overwhelming 89% of event planners downloaded the data in their event management systems to external spreadsheets, with a further 81% sharing it with colleagues and other departments by printing or email.  As well as following your organisation’s policies on how to securely share and dispose of data, you can also reduce security risks by integrating your event management system with some of your other back end systems like finance, CRM and marketing.  The integration will allow for automatic updates on both systems whenever you need to make any changes, eliminating the need to download, print or email event data to other departments within your organisation.

For example, integration with your company’s finance system will allow you to automatically update delegate payment details into your finance system and vice versa without the need for printing and emailing reports and manually transferring them from one system to another. Event invoices, credit notes and received payments can be all be generated and sent from either system. This saves time and more importantly, vastly reduces the security risks associated with email communications and having printed documents lying around.

Know Your Personal Vs. ‘Sensitive’ Personal Delegate Data

Our study found that there was some confusion differentiating personal and ‘sensitive’ delegate data.  Personal information can include things like names, addresses and phone numbers.  However, sensitive data is any information relating to the delegate’s racial origin, political opinion, religious beliefs or mental and physical well-being.   The survey found that 40% of event planners didn’t think race and religion was considered as sensitive and only 26% thought dietary requirements (which may indicate religious inclinations) as sensitive.

Why is this important? EU Data Protection regulations require extra security measures when dealing with ‘sensitive’ delegate data – as this information could be used in a discriminatory way and is likely to be of a private nature.  Most registration forms will have a question asking delegates if they have any additional requirements.  This may include things like dietary requirements or the need for wheelchair assistance. Storing this ‘sensitive’ data means you must comply with the Data Protection Act from the moment you obtain the data until the time when the data has been deleted, overwritten or securely destroyed (e.g. shredding, incineration or pulping).

Don’t Forget About ‘Offline’ Security

As a general rule, try not to store any of your event data in any physical form (print or external hard drives, USB drives etc.) as this greatly increases the chance of it getting into the wrong hands.  If you are, invest in secure cabinets, fit locking doors and ensure you have the proper mechanisms in place to dispose of this data if you need to.  At your events, don’t leave your registration lists, laptops and smart phones unattended and ensure that event data on your screens are not visible to unauthorised users.  Be cautious when discussing details over the phone and avoid discussing sensitive information in public areas where you can be overheard.

Lastly, make sure your employees understand how important your event data is and all the measures they can take to protect it. Encourage security awareness among your staff, training them not to leave sensitive material lying around and to operate a clear desk policy – both at the office and at your events.  The ultimate goal is for everyone, at every level, to believe that data security is critical, understand the policies and procedures for achieving a secure environment and ensuring these are followed every day.

Written by Steve Baxter, CTO of Eventsforce

1 Information Week: Insider Threats: 10 Ways to Protect Your Data

2 BBC News: Security snapshot reveals massive personal data loss

 

Why Your Events Could Benefit from Multilingual Websites

Posted on by Eventsforce

Choosing which event to attend is no longer restricted by borders and time zones, as delegates are increasingly happy to travel further afield for the right event. They are spurred not only by the abundance of cheap flights and budget accommodation, but by a real desire to learn about the latest innovations, best practice guidelines and the opportunity to network and share ideas with colleagues and peers from across the world.

But are we doing enough to reach delegates beyond our country’s borders?  A study by the European Commission in 2011 revealed that 90% of Internet users in the EU, said that when given a choice of languages, they always visited a website in their own language. A similar survey by the Common Sense Advisory in the US also found that 72% of consumers were more likely to buy a product or service online if the information provided was in their native language1. With this in mind and the fact that most people now research for events online, doesn’t it make sense for your events to have multilingual websites?

Why Multilingual Websites Can Boost Your Events

Untitled design (13)Multilingual sites today present one of the most cost-effective ways of marketing your events, attracting new delegates, building relationships with them and giving your organisation an international outlook:

  • Shows You Care – It doesn’t take much effort to create a multilingual website (more below) but that extra effort shows your delegates that you care about them and are considerate of their needs, which makes them more likely to book onto your event. We all know that personalisation is important to our delegates and what could be more personal than talking to them in their own language?
  • Builds Trust with Your Delegates – Trust is an important part of doing business. Trust in an event and the event organiser is even more important if a delegate is travelling from abroad. Communicating with these delegates in their native language helps them feel secure, understand what they are buying and who they are buying from.
  • Helps You Stay Ahead of Your Competitors – Make no mistake, your event has competition. Whether it’s from other events, alternative ways of spending budgets or time constraints, your delegate needs to make difficult choices. If they only go to a few events a year, you need to make yours stand out. Offering a multilingual website will give your event a competitive edge by demonstrating to delegates that your organization thinks, works and deals internationally.
  • Improves Search Engines Optimisation – Search engines lead people to your site. While it’s tempting to view Google as the only search engine that matters, in reality this isn’t the case as in many countries, such as France, Japan and China, Google is not the default search engine. Baidu is popular in China, Acara in Japan and Voila in France. Such search engines are a key to tapping those markets unless they have access to a particular language though your multilingual event website, then your event will not be found. In addition, search engines like Google are developing the capacity to run searches in foreign languages.  Having your website available in those languages helps to ensure it will be picked up in searches.

But the Internet is in English

If you assume your delegates speak your language well enough to skip the translation step, you’re wrong. Today only 35% of the Internet’s content is in English, and this number continues to diminish. Russian, Spanish and Portuguese, for example, are continuing to trend upward with no sign of slowing down.  If you are targeting delegates who speak these languages, it is worth considering translating your content to better reach and connect with them. And while other languages like German, French and Japanese are trending down, they still represent such a large portion of the online community that it is worth thinking through your targeting approach to those markets as well1.

It’s a Lot Simpler Than You Think

Having the ability to communicate to a whole new international audience in their own language will undoubtedly bring results not only in a financial sense but also in terms of marketing and creating awareness of your event. And luckily, creating these multilingual event websites isn’t a complicated process if you consider the following basic requirements:

Make Sure Your Event Technology Supports It – Most event management or registration software these days offer a multilingual module, which allows important pages on your event website including those for registration and agendas to be displayed in several popular world languages of your choice.  By providing tools that allow you to automatically translate things like website headings, button texts, warning messages and email communication, the software helps you copy templates from one language to another in no time. Organisations like the British Council do this with their in-country events and the system has proved to be very successful.

Make Sure You Have the Necessary Staff Resources – If it’s a simple event website with a registration form that collects basic delegate information (name, country and contact details), then having staff that can speak the language isn’t entirely necessary as you can manage most of it through an online translation service like Google Translate. In most cases, however, you will need to have someone on your team who has a working knowledge of the language to oversee all translation requirements and more importantly, manage all delegate communication – from sending registration confirmation emails, making changes to agendas and managing requests.

Click to get in touchIf you don’t have the staff resources, then there are other affordable options.  You can hire a freelance translator through services like Upwork and Fiverr, that offer hundreds of talented and reliable people to work with. Alternatively, you can also use an online translation service like Unbabel, that combines artificial intelligence with crowdsourced human translation to deliver fast and high quality services to companies who want to reach international markets.

Written by Lynda Browne, Client Loyalty Manager, Eventsforce

1 Unbabel: Top Languages of the Internet, Today and Tomorrow

 

Top 8 Security Questions to Ask Your Event Technology Provider

Posted on by Eventsforce

Data Security

 

 

 

 

 

 

 

 

 

 

 

Many of you have read the scandalous stories we saw in the headlines last year regarding major security breaches at companies like Talk Talk and the Ashley Madison dating site.  Cyber hackers raised their game with millions of people having had their private data stolen and national governments scrambling to combat the growing threat of cyber-attacks. Now imagine your organisation’s systems got hacked and exposed the personal details of the hundreds (or thousands) of delegates attending your events each year.  Doesn’t really bear thinking about, does it?

Events deal with highly sensitive customer information, including names, emails, telephone numbers, employment information, disabilities and other confidential details. The wealth of information we collect from our delegates is a gold mine for hackers.  Safeguarding this data is critical and more and more organisations are starting to see the importance of this issue. Our new data security survey found that 80% of event planners marked data security as a top priority for 2016.  Surprisingly, however, only 40% of them felt they had the adequate security policies in place across their organisations.   In fact, according to MPI members at last month’s MPI European Meetings & Events Conference, event planners were said to be lacking awareness on the topic of cyber security despite the global terrorism threat1.

So how do we address this issue of event technology security?

Most event planners these days deal with some form of event registration technology that helps them manage all their event and delegate data.  The software captures, manages and stores a lot of the sensitive data we mentioned earlier – so it makes sense to start there. Have a look at the data security policies of your event tech provider.  Are you confident they have the right processes in place to safeguard your data? Are they doing everything they can to minimise the risk of breach?

Here are the top 8 data security questions you should be asking your event tech provider today:

How is My Event Data Protected?

Maximum protection of your event data should probably be your event technology provider’s top priority.   You want to ensure that your event data is fully secure and protected by a comprehensive recovery system.  The first step in achieving this is the use of strong industry-standard encryption, like HTTPS and AES, which helps protect your data from prying eyes and can provide you with assurance that it hasn’t been modified in any way. Find out how your data is encrypted both at rest (when stored in servers) and in transit (when accessing data from your event management system over an Internet network). ID-100354956

What Data Security and Safeguarding Policies Do You Have in Place?

Find out where your database is stored, how it is stored and how often they back it up – the more often, the better so that no changes can be lost from your database if restoration is required. In the case of a breach to their own servers, find out what response plans they have in place to protect your data.  Find out what security policies they have in place within their organisation – how do they protect their own data and how do they meet regulatory and legislative requirements?  Who has access to client data, how do they handle authorisation and what happens when someone leaves? How do they share client information (email/phone) and where they do they store this information?

 How Can I Ensure Secure Access to my Event Management System?

All major event management systems manage access via username and password authentication.  However, you can also manage access using an external authentication service, which can restrict access for certain individuals to particular functions (e.g. abstract reviews) or particular events. Find out if your event tech provider can integrate your event management solution with a Single Sign-On (SSO) system. This will allow you to sign in using your company’s existing corporate authentication infrastructure – so passwords are never submitted to your event system and access can be controlled centrally by your organisation. If someone from your team leaves their job, then their access to all systems can be cut off from one place.

SSO improves security by giving you the choice to restrict event websites and registration to internal personnel or selected individuals or groups, effectively making them private. Only people chosen to view the event website or register for the event will be able to do so and invitations cannot be shared – useful if you have an internal awards event going on involving confidential company information.

Where is my Event Data Stored?

As mentioned above, this is something that should be outlined in the security policy of your event technology provider. It is worth noting, however, that if your event management software provider is storing your data in US-based datacentres and you deal with delegates from the EU, then you need to ensure that they comply with the newly announced Privacy Shield agreement. This replaces the old Safe Harbor agreement, which allowed US companies to legally transfer European citizens’ data to America, provided the location it was being sent to had the security and privacy conditions that met EU standards.

Read more: New EU/US Data Sharing Deal: What Event Planners Need to Know

If you are using a web-based system, find out the physical location of their cloud servers and whether or not they adhere to EU Data Protection regulations. Find out who has access to these servers and what kind of security procedures they have in place.

Do You Own My Data?

This is an important question as some event management technology companies have a legal right to use your data for their own marketing purposes, which means it’s highly likely that they store this data somewhere other than your company’s database on their client servers.  This increases the chance of breach so again, you need to find out what data protection policies they have within their own organisation, how they manage access to this data, what do they use it for and how long they keep it.

Are You PCI-DSS Compliant?

Our survey revealed that almost 50% of event planners who took payment from their delegates didn’t know if they were PCI-DSS compliant and a further 73% were unaware of the fines for non-compliance (ranging anywhere from $5,000 to $100,000).  If your events are set up to accept payments from delegates via credit or debit cards, then your organisation is obligated to achieving and maintaining compliance with the PCI Data Security Standard (more info here).  One way of simplifying compliance is to outsource the process to one of the many PCI-DSS-certified payment gateways that meet the required standards, such as Stripe, PayPal, Sage Pay and Worldpay, among others. However, make sure you understand from your event tech provider how these payment gateways interface with your event management/registration system. If your event website integrates with these gateways via an API, then you are still liable for PCI compliance since your servers capture and transmit the credit/debit card data first. Equally, if your event management system uses its own payment gateway or processes payments on your behalf, make sure that their systems have the correct level of compliance and that they are not permanently storing your delegate payment card data on their servers.

Read more: Top 5 Things to Think Abut When Dealing with APIs

What Security Precautions Do I Need to Take?

If your event management system is integrated with other third party systems (CRM, event apps, finance packages), your event management software provider may have issued you with an API key for any integrations.  Often used instead of usernames and passwords, the key allows your event app and other third party applications access to your event data, and vice-versa. Remember that anyone who has access to this key has access to your data – so you need to make sure it doesn’t get into the wrong hands.  You can minimise the risk of breach by asking your event tech provider to issue different API keys for different functions – for example, use one key to connect your system to the delegate section of your event app and another to connect it to the exhibitor section of your event app. Also, if you’re integrating with more than one system, ask for separate API keys for each integration (event app, CRM etc).  This way, if one of your API keys gets lost or exposed, you can revoke the key (which disables the integration) and set up a new one.  If you have one API key for all your integrations, then a data breach would lead to far more serious consequences for you and your organisation.

How Long Do You Keep My Data For?

In our survey, 54% of event planners said they use their event management systems as a permanent storage space for all their event data.  If you’re happy with your event tech provider’s data security policies, then keeping your data in the system after your event is complete is a good idea – especially if you don’t have adequate procedures to safeguard this data within your own organisation. Find out how long they keep this data on their servers, whether it is moved to other locations or servers and whether or not they delete it after a defined period of time.

Conclusion

Click to get in touchThere is no such thing as 100% security when it comes to safeguarding your data.  However, following best practices and taking the precautions outlined above can help you understand the risks involved and minimise the chances of a data breach.

To learn more about event technology security and how Eventsforce’s systems keep your data safe, read the related posts below or get in contact.

Written by Steve Baxter, CTO of Eventsforce

1 C&IT: Event Planners Don’t Understand Real Threat of Cyber Hacking

 

Delegate Card Payments & Security Compliance: Questions Answered

Posted on by Eventsforce

PCI COmplianceEnter registration details, make your payment and click submit.  It’s the kind of information most event websites ask for. But when your delegate makes a payment, how do we make sure their card details are kept safe? If your organisation is involved in storing, processing or transmitting any delegate cardholder data – manually or electronically – you need to comply with the Payment Card Industry Data Security Standard (PCI DSS).  And that means meeting tough standards that maximise your delegate’s payment card security – or face the prospect of fines.

Unfortunately, many organisations don’t bother thinking about PCI compliance until they are due to be audited, which at best, leaves them playing catch-up or at worst, means they fail because they haven’t met the requirements. A recent report by Verizon – which assessed more than 5,000 organisations across 30 countries – found that nearly 80% of all businesses failed their interim PCI compliance assessment. More importantly, lack of compliance was linked to data breaches: Of all the data breaches studied, not a single company was found to be fully PCI DSS-compliant at the time of breach. The study also found 69% of all consumers were less inclined to do business with a breached organisation1. So the stakes of non-compliance are pretty high.

Last month, Eventsforce conducted its own survey with senior event planners in the UK and the US to assess their understanding of delegate payments and PCI-DSS requirements. The results were quite surprising.  Nearly half of those surveyed didn’t know if they were PCI DSS compliant, with 84% not being able to identify compliance requirements and a further 73% unaware of the fines for non-compliance.

So what exactly is PCI-DSS and what do event planners need to know about it? Below are six of the most common questions we come across when discussing issues around delegate payments and data security.

What is PCI-DSS compliance?

If your events are set up to accept payments from delegates via credit or debit cards, then your organisation is obligated to achieving and maintaining compliance with the PCI Data Security Standard.  PCI DSS is an information security standard for any organisation handling credit card transactions from the major card schemes, including Visa, MasterCard, American Express, Discover and JCB.  The standard was created to increase controls around cardholder data to reduce credit card fraud. It has three basic components which include analysing IT systems for vulnerabilities; patching weaknesses and deleting unnecessarily stored data; and submitting compliance records to banks and card companies (a detailed description of all 12 requirements can be found here).

In the case of events, compliance would mean ensuring that no delegate payment card data is stored unless it is necessary to meet the needs of your event or business. This applies to all types of transactions – electronic (card payments through event website) or manual (card payments over the phone or on-site). If it is absolutely necessary for you to store this information, then you need to know what you can and can’t do. Sensitive data from the magnetic strip or chip, for example, may never be stored but other information such as card numbers (PAN), expiration dates, service codes or cardholder names may be stored if the correct encryption procedures have taken place to ensure data safety (more on this further down).

Isn’t This the Responsibility for My IT/Legal/Finance Department?

 Setting policies and procedures around compliance usually is the responsibility of these departments but adherence to these policies is a shared responsibility across any department dealing with delegate card payments – including the events team. In the case of any fraudulent activity involving the payment card of one of your delegates, a bank can easily trace it back to a PCI-related breach to your organisation and hold you responsible. There are considerable fines associated with non-compliance following a data compromise; these can range from ten to hundreds of thousands of pounds. Many non-compliant organisations have stopped trading because the fines could not be accommodated.

Do I Have to be PCI-DSS Compliant?

PCI-DSS compliance does not just apply to the storage of payment card data but also to the handling of data while it is processed or transmitted over networks or phone lines. While not storing credit card data does eliminate some compliance requirements, the majority of the controls dictated by the DSS remain in effect.

ID-100354956One way of simplifying compliance is to outsource the process to one of the many PCI-DSS-certified payment gateways that meet the required standards, such as Stripe, PayPal, Sage Pay and Worldpay, among others. This makes it possible for delegates to interact with the gateway software directly so that card information never hits your own servers. However, make sure you understand how these payment gateways interface with your event management/registration systems. If your event website integrates with these gateways via an API, then you are still liable for PCI compliance since your servers capture and transmit the credit/debit card data first.

Read more: Top 5 Things to Think About When Dealing with APIs

Do I Still Need to Consider it if my Payment Gateway is Compliant?

Yes, if you take delegate/attendee payments offline or over the phone. In our event data security survey, 49% of event planners said they take credit/debit card details from their attendees over the phone. This doesn’t help with PCI compliance unless the information is directly entered into the payment gateway system. Even then, are the card details written down somewhere first?  If so, do you dispose of the paper?  How is the paper disposed and when?  Do you email these details to anyone? These are all very important questions you and everyone else on your team need to be very aware of at all times. So make sure you have the correct policies in place and that your staff are trained to follow all necessary procedures that ensure compliance.

What if I do Need to Store Card Details for Some of my Events?

Our survey found that 11% of event planners ask their attendees to fill in card details within registration forms as a form of deposit on possible extras like transport, hotel rooms, dinners, and so on. Some payment gateways like Stripe have a good way of managing this without making your organisation subject to PCI-DSS regulations.  At a minimum, PCI DSS requires card numbers (PAN) to be unreadable anywhere they are stored (the first six and last four digits are the maximum number of digits that may be displayed).  However, as a general rule, it is not advisable to use registration forms to capture credit card details as it does increase the risk of breach.

What Are the Main Data Security Guidelines for PCI-DSS Compliance?

If you do have a legitimate business reason to store your delegate’s payment card data, it is important to understand what data elements PCI-DSS allows them to store and what measures they must take to protect that data. Below are some basic do’s and don’ts for data storage security:

Data Do’s:

  • DO understand where delegate card data flows for the entire payment transaction process – from initial registration until the completion of the event.
  • DO verify that your payment applications (including third-party applications like PayPal) are PCI-DSS compliant. Have clear access and password protection policies and remember, it is your responsibility that compliance is not just met but continuously maintained. Security exploits are non-stop and get stronger every day, which is why compliance efforts should be a continuous process.
  • DO retain cardholder data only if authorised and ensure it is protected
  • DO use strong cryptography to render unreadable cardholder data that you store, and use other security technologies to minimise the risk of exploits of criminals

Data Don’ts

  • DO NOT store cardholder data unless it’s absolutely necessary – delete all data as soon as you know that you no longer need it. Never print or email this information.
  • DO NOT store the 3-digit card validation code on the back of the payment card on paper or any digital format.
  • DO NOT store any payment card data in unprotected devices such as PCs, laptops or smart phones
  • DO NOT permit any unauthorised people to access stored cardholder data

Summary

Understanding and implementing all the requirements of PCI-DSS can seem daunting, especially for those without security or large IT departments.  However, PCI DSS mostly calls for good, basic security.  Even if you don’t have to be PCI-DSS compliant, the best practices we mentioned above are steps that any organisation running events would want to take anyway to protect sensitive delegate data.

Click to get in touch

For further advice and guidance on event card payment security, please contact our friendly team on 0207 785 6997 or fill in our enquiry form here.

1 80 Percent of Businesses Fail Interim PCI Compliance Assessment

INFOGRAPHIC: How Safe Is Your Event Data?

Posted on by Eventsforce

There have been a number of high-profile data breaches over the last year and though there have been no major incidents involving the events industry, it is definitely something we need to prepare ourselves for.  Events deal with highly sensitive customer information, including names, emails, telephone numbers, employment information, disabilities and so on.  Ensuring this data is kept in a safe place is critical not just for delegates, but for any organisation storing this information.

Last month, we conducted a survey with event planners in the UK and the US to highlight some important trends around this issue.  The results have been very insightful.

The study, which was conducted across 50 organisations in the UK and the US, revealed that 80% of event planners marked data security as a top priority for 2016 yet only 40% felt they had the adequate security policies in place across their organisations.

The survey exposes key areas – like password hygiene, delegate payments and regulatory compliance – where event planners need to put greater attention to in order to prevent data from getting into the wrong hands. For example: The survey found that 81% of event planners do not change the passwords to their event management systems as often as they should (less than once a year) and a further 33% claim to have shared their passwords with other people.  This increases the risk of a breach and makes it difficult to accurately identify who has access to the system at any given point in time.

For a more comprehensive look at these insights and some of the other findings from the Eventsforce ‘How Safe Is Your Event Data’ survey, please download the infographic below:

Infographic_How safe is your event data JPG FINAL

 

60-Seconds with Allianz Insurance

Posted on by Eventsforce

Charley Jennings (Allianz Insurance)Charley Jennings is the corporate events officer at Allianz Insurance.  Based in their London offices, she works with a team of six people who are in charge of organizing a variety of events from large conferences, dinners, awards, ceremonies and team building days which can gather anywhere between 10 to 600 people at a time.

EventTech Talk had a quick chat with her to find out a little about her venues and restaurants and her biggest event nightmare.

How long have you been working in events?

Around three years in total.  I started at Allianz as a placement student, returned to university to finish my degree and applied for a job when I finished.

Where is your favourite venue for events?

The Shangri-La Hotel at The Shard in London is great for meetings and One Great George Street in Westminster for awards ceremonies.

What is your favourite restaurant?

The Hutong Chinese restaurant at The Shard and SUSHISAMBA for Japanese-Brazilian-Peruvian sushi.

What would you say is your biggest challenge when planning an event?

Time – there doesn’t seem to be enough of it in the day!

What has been your biggest event nightmare? 

We held a large awards ceremony last year and there was a political protest outside the venue the night before the event. We had no idea what time the protest would finish, and if we were going to be allowed near the venue.  After a very long day, we managed to get everything ready and get to the venue before it started!

Mobile app you couldn’t live or work without?

WhatsApp Messenger.

New technology you’re looking forward to using one day?

Click to get in touchTo be able to use holograms at our conferences would be very exciting.

What has been the best piece of professional advice someone’s given you?

There is no such thing as being too organised!

Lastly, if you could have one superpower, what would it be?

To be able to freeze time!