Tag: media & publishers

Delegate Card Payments & Security Compliance: Questions Answered

Posted on by Eventsforce

PCI COmplianceEnter registration details, make your payment and click submit.  It’s the kind of information most event websites ask for. But when your delegate makes a payment, how do we make sure their card details are kept safe? If your organisation is involved in storing, processing or transmitting any delegate cardholder data – manually or electronically – you need to comply with the Payment Card Industry Data Security Standard (PCI DSS).  And that means meeting tough standards that maximise your delegate’s payment card security – or face the prospect of fines.

Unfortunately, many organisations don’t bother thinking about PCI compliance until they are due to be audited, which at best, leaves them playing catch-up or at worst, means they fail because they haven’t met the requirements. A recent report by Verizon – which assessed more than 5,000 organisations across 30 countries – found that nearly 80% of all businesses failed their interim PCI compliance assessment. More importantly, lack of compliance was linked to data breaches: Of all the data breaches studied, not a single company was found to be fully PCI DSS-compliant at the time of breach. The study also found 69% of all consumers were less inclined to do business with a breached organisation1. So the stakes of non-compliance are pretty high.

Last month, Eventsforce conducted its own survey with senior event planners in the UK and the US to assess their understanding of delegate payments and PCI-DSS requirements. The results were quite surprising.  Nearly half of those surveyed didn’t know if they were PCI DSS compliant, with 84% not being able to identify compliance requirements and a further 73% unaware of the fines for non-compliance.

So what exactly is PCI-DSS and what do event planners need to know about it? Below are six of the most common questions we come across when discussing issues around delegate payments and data security.

What is PCI-DSS compliance?

If your events are set up to accept payments from delegates via credit or debit cards, then your organisation is obligated to achieving and maintaining compliance with the PCI Data Security Standard.  PCI DSS is an information security standard for any organisation handling credit card transactions from the major card schemes, including Visa, MasterCard, American Express, Discover and JCB.  The standard was created to increase controls around cardholder data to reduce credit card fraud. It has three basic components which include analysing IT systems for vulnerabilities; patching weaknesses and deleting unnecessarily stored data; and submitting compliance records to banks and card companies (a detailed description of all 12 requirements can be found here).

In the case of events, compliance would mean ensuring that no delegate payment card data is stored unless it is necessary to meet the needs of your event or business. This applies to all types of transactions – electronic (card payments through event website) or manual (card payments over the phone or on-site). If it is absolutely necessary for you to store this information, then you need to know what you can and can’t do. Sensitive data from the magnetic strip or chip, for example, may never be stored but other information such as card numbers (PAN), expiration dates, service codes or cardholder names may be stored if the correct encryption procedures have taken place to ensure data safety (more on this further down).

Isn’t This the Responsibility for My IT/Legal/Finance Department?

 Setting policies and procedures around compliance usually is the responsibility of these departments but adherence to these policies is a shared responsibility across any department dealing with delegate card payments – including the events team. In the case of any fraudulent activity involving the payment card of one of your delegates, a bank can easily trace it back to a PCI-related breach to your organisation and hold you responsible. There are considerable fines associated with non-compliance following a data compromise; these can range from ten to hundreds of thousands of pounds. Many non-compliant organisations have stopped trading because the fines could not be accommodated.

Do I Have to be PCI-DSS Compliant?

PCI-DSS compliance does not just apply to the storage of payment card data but also to the handling of data while it is processed or transmitted over networks or phone lines. While not storing credit card data does eliminate some compliance requirements, the majority of the controls dictated by the DSS remain in effect.

ID-100354956One way of simplifying compliance is to outsource the process to one of the many PCI-DSS-certified payment gateways that meet the required standards, such as Stripe, PayPal, Sage Pay and Worldpay, among others. This makes it possible for delegates to interact with the gateway software directly so that card information never hits your own servers. However, make sure you understand how these payment gateways interface with your event management/registration systems. If your event website integrates with these gateways via an API, then you are still liable for PCI compliance since your servers capture and transmit the credit/debit card data first.

Read more: Top 5 Things to Think About When Dealing with APIs

Do I Still Need to Consider it if my Payment Gateway is Compliant?

Yes, if you take delegate/attendee payments offline or over the phone. In our event data security survey, 49% of event planners said they take credit/debit card details from their attendees over the phone. This doesn’t help with PCI compliance unless the information is directly entered into the payment gateway system. Even then, are the card details written down somewhere first?  If so, do you dispose of the paper?  How is the paper disposed and when?  Do you email these details to anyone? These are all very important questions you and everyone else on your team need to be very aware of at all times. So make sure you have the correct policies in place and that your staff are trained to follow all necessary procedures that ensure compliance.

What if I do Need to Store Card Details for Some of my Events?

Our survey found that 11% of event planners ask their attendees to fill in card details within registration forms as a form of deposit on possible extras like transport, hotel rooms, dinners, and so on. Some payment gateways like Stripe have a good way of managing this without making your organisation subject to PCI-DSS regulations.  At a minimum, PCI DSS requires card numbers (PAN) to be unreadable anywhere they are stored (the first six and last four digits are the maximum number of digits that may be displayed).  However, as a general rule, it is not advisable to use registration forms to capture credit card details as it does increase the risk of breach.

What Are the Main Data Security Guidelines for PCI-DSS Compliance?

If you do have a legitimate business reason to store your delegate’s payment card data, it is important to understand what data elements PCI-DSS allows them to store and what measures they must take to protect that data. Below are some basic do’s and don’ts for data storage security:

Data Do’s:

  • DO understand where delegate card data flows for the entire payment transaction process – from initial registration until the completion of the event.
  • DO verify that your payment applications (including third-party applications like PayPal) are PCI-DSS compliant. Have clear access and password protection policies and remember, it is your responsibility that compliance is not just met but continuously maintained. Security exploits are non-stop and get stronger every day, which is why compliance efforts should be a continuous process.
  • DO retain cardholder data only if authorised and ensure it is protected
  • DO use strong cryptography to render unreadable cardholder data that you store, and use other security technologies to minimise the risk of exploits of criminals

Data Don’ts

  • DO NOT store cardholder data unless it’s absolutely necessary – delete all data as soon as you know that you no longer need it. Never print or email this information.
  • DO NOT store the 3-digit card validation code on the back of the payment card on paper or any digital format.
  • DO NOT store any payment card data in unprotected devices such as PCs, laptops or smart phones
  • DO NOT permit any unauthorised people to access stored cardholder data

Summary

Understanding and implementing all the requirements of PCI-DSS can seem daunting, especially for those without security or large IT departments.  However, PCI DSS mostly calls for good, basic security.  Even if you don’t have to be PCI-DSS compliant, the best practices we mentioned above are steps that any organisation running events would want to take anyway to protect sensitive delegate data.

Click to get in touch

For further advice and guidance on event card payment security, please contact our friendly team on 0207 785 6997 or fill in our enquiry form here.

1 80 Percent of Businesses Fail Interim PCI Compliance Assessment

INFOGRAPHIC: How Safe Is Your Event Data?

Posted on by Eventsforce

There have been a number of high-profile data breaches over the last year and though there have been no major incidents involving the events industry, it is definitely something we need to prepare ourselves for.  Events deal with highly sensitive customer information, including names, emails, telephone numbers, employment information, disabilities and so on.  Ensuring this data is kept in a safe place is critical not just for delegates, but for any organisation storing this information.

Last month, we conducted a survey with event planners in the UK and the US to highlight some important trends around this issue.  The results have been very insightful.

The study, which was conducted across 50 organisations in the UK and the US, revealed that 80% of event planners marked data security as a top priority for 2016 yet only 40% felt they had the adequate security policies in place across their organisations.

The survey exposes key areas – like password hygiene, delegate payments and regulatory compliance – where event planners need to put greater attention to in order to prevent data from getting into the wrong hands. For example: The survey found that 81% of event planners do not change the passwords to their event management systems as often as they should (less than once a year) and a further 33% claim to have shared their passwords with other people.  This increases the risk of a breach and makes it difficult to accurately identify who has access to the system at any given point in time.

For a more comprehensive look at these insights and some of the other findings from the Eventsforce ‘How Safe Is Your Event Data’ survey, please download the infographic below:

Infographic_How safe is your event data JPG FINAL

 

Infographic: The ROI of Event Data Integration

Posted on by Eventsforce

We have talked a lot about data integration (Why is Data Integration So Important for Your Events) and APIs (Top 5 Things to Think About When Dealing with APIs) over the last few weeks.  It is a topic that is hotly debated across the events industry as more and more organisations try to find new ways of increasing the ROI of their event technology investments.

Integrating your event management software with other business systems within your organisation can bring a host of benefits. It can save you time by reducing manual data entry. It can eliminate errors and inconsistencies that commonly cause problems in communications.  It can cut costs and make your team more productive – and more importantly, it can unlock the true value of your event data by putting it in the hands of the people who need it.

So how does it work and what does an integrated system look like?  For a quick overview on some of the key integrations that make sense for your events, have a look at the infographic below (or click here to download):

New EU/US Data Sharing Deal: What Event Planners Need to Know

Posted on by Eventsforce

Untitled design (5)Last week, the EU and the US finally struck a new deal on data sharing designed to protect EU citizens’ data when transferred across the Atlantic. The so-called ‘Privacy Shield’ deal replaces the ‘Safe Harbor’ agreement that stood for more than 15 years before being struck down by a court last October. The decision left thousands of businesses – especially those reliant on the cloud – scrambling to figure out how to legally operate data transfers, while US and EU regulators spent the last three months hammering out the terms of Privacy Shield. But there are already questions being raised about the new agreement.  The language used in the official announcement is woolly at best and there are fears that the deal has a number of flaws which can raise further legal challenges in the future[1].

So how is this relevant to the events industry?  Events deal with highly sensitive delegate information – from names, addresses and employment information to things like gender, disabilities and dietary preferences.  Up until last year, the pact made it relatively easy for any company hosting events to legally store EU delegate information in US data centres.  However, with the absence of Safe Harbor and a general lack of certainty around the new deal, there is still little to prevent European Data Protection Agencies from taking enforcement actions against companies suspecting of breaching European law.  Storing EU delegate data in the US can still put organisations at risk.

What Was Safe Harbor?

The Safe Harbor agreement allowed US companies to transfer European citizens’ data to America, provided the location it was being sent to had the privacy conditions that met EU standards. It was first put in place in 2000, because the US does not have one single federal law regulating data storage. Its constitution does offer some protection to US citizen data, but it provides no assurances for foreign citizens.  It is an important agreement for thousands of companies operating in Europe.

Why Was the Agreement Ruled ‘Invalid’?

When former National Security Agency (NSA) contractor, Edward Snowden, made revelations in 2013 about the US surveillance system, an Austrian student filed a complaint against Facebook to the Irish data protection authority. He claimed Snowden’s claims confirmed that Facebook wasn’t sufficiently protecting user data as the NSA was carrying out mass surveillance on technology companies. The case went all the way up to EU’s top court, which in October 2015 said that the Safe Harbor agreement was no longer valid because US public authorities were able to access EU citizen data and individuals had no means of getting any compensation for any misused data.  Since then, the US and EU have had to renegotiate a new data sharing agreement that allows data flows across the Atlantic to continue without breaking the law.

How is New Deal Different?

Under the terms of the new deal – which are still being negotiated – the US will give an annual written commitment that it won’t indulge in mass surveillance of EU citizens, and this will be audited by both sides once a year. US companies wishing to import EU citizens’ data must also give robust obligations on how personal data is processed, and comply to the same standards as European data protection laws. But there are already fears that the deal may be too broad for some to swallow. Ashley Winton, UK Head of data protection and privacy at lawyers, Paul Hasting LLP said: “The results of months’ worth of negotiation appears weak, and if adopted we are likely to see further legal challenge in the European courts” [2].

Why Is This Data-Sharing Deal So Important for Your Events?

If you are hosting events in Europe, find out where your delegate data is being stored – if you don’t already know. If it’s within the EU, then you shouldn’t have any concerns.  If it is in a US data centre, you need to make sure that you have the correct mechanisms and methods in place to legally transfer data to the US from Europe.   This not only applies to the data you store within your organisation but more importantly, the third-party IT systems that also have access to your event and delegate data. This includes vendors that supply you with registration systems and event apps to business systems like CRM and finance packages that may be integrated with your event management software.

Find out exactly how these organisations are safeguarding your delegate data and keeping it private. Find out where they are storing your data – especially from those US-based companies who are heavily reliant on the cloud.  There are many cloud providers which operate solely within the bounds of the European Union, but there are many out there who operate through their large data centres in the US – which would mean the new ‘Privacy Shield’ deal applies to them. Find out the physical location of their cloud servers. Find out if they contract their support services outside the EU.  Find out who has access to your delegate data, and what kind of security policies they have in place. Find out if your data is encrypted and whether or not they adhere to EU Data Protection regulations.  Solutions could involve drafting new contractual agreements with delegates, encrypting US servers and building EU-based servers and support centres.

The Road Ahead

The uncertainty around the new deal may still mean that the movement of data from the EU to the US can become a legal matter if EU delegates have grounds to believe their consent for data storage and usage has not been agreed. Companies may be able to transfer data if they have free and informed consent of users and this gives event planners another thing to think about before moving their data outside the EU.

Click to get in touchAs the terms of the new, safer ‘Safe Harbor’ get ratified by EU members, the current legal limbo may close up soon enough. Last month, the US passed the Judicial Redress Act – a necessary step to achieving the new deal – which provides a path for EU citizens to sue over privacy complaints in the US.  However, it also passed a last minute Republican amendment that provides for an exception on national security grounds – which undermines the entire point of the whole measure. So as it stands, there are still no guaranteed assurances for businesses wanting to export data from Europe to the US right now.  What we can be sure of is that the ending of Safe Harbor and the announcement of Privacy Shield should pave the way for a new era in transparency from companies on how they use customer information and how we define data ownership.

Written by Steve Baxter, CTO, Eventsforce

[1]The Register: Safe Harbor ripped and replaced with Privacy Shield in last-minute US-Europe deal (includes comments from former Gartner Vice President, French Caldwell)

[2]The Register: Safe Harbor ripped and replaced with Privacy Shield in last-minute US-Europe deal

Source: CNBC ‘US and EU in data privacy clash: what you need to know’

Award Ceremonies: How to Address Most Common Setbacks

Posted on by Eventsforce

shutterstock_10906786Awards, galas and recognition dinners are meant to be sparkling occasions where raising a glass to success is top of mind.  Unfortunately, they don’t always go that way and sometimes, a “Plan B” has to be enacted.  Take a look at these 5 scenarios, from comedic to tragic, and see how smart planners, marketers, PR pros and execs turned the perception and measure of success in their favor.

1 – “We’ve got some technical difficulties…”  Use this time to allow your guests to network with each other – after all, they’re here to celebrate each other’s successes.  If your awards ceremony, gala, or recognition dinner has press or media present, perhaps even set up a couple of interviews with the lucky winners.  Adding a networking element is always a good value-add. People will appreciate being able to connect with others and be recognised.  Next time though, be sure to test – and re-test – your equipment!

2 –  “We have to stay on track!”  It’s difficult to have a set schedule for an awards ceremony, gala, or recognition dinner so sometimes when some award recipients or even your presenter goes on for too long, there’s the issue of getting through the entire program on time.  This could also be boring for the audience, so be sure to set some ground rules on how much time should be spent on each section of the schedule.  It can’t get longer every year, like the Oscars, and then go through post-editing!  Always plan for more time, or even switch up the venue for a reception for some ceremonies or portions thereof, to break it up a bit and stay on task.

 3 – That’s not the right name! – “Adele Dazeem” – who?  It was a pretty notable fail when John Travolta mispronounced Idina Menzel’s name at the 86th Academy Awards.  If you’re hosting an event with a variety of recipients, make sure your presenters can correctly pronounce the names on the list BEFORE the event starts.  When it happened to Idina Menzel, it was pretty humorous and she might have been able to “let it go” but it was a fail moment nonetheless!  It went viral and there are even Adele Dazeem name generators, so you could definitely add a humorous touch with it if this does happen at your event.

 4 – Everyone’s bored!   Make sure your presenter is engaging and relevant.  Awards ceremonies, galas, and recognition dinners should be relaxing and upbeat – after all you’re celebrating all the success resulting from hard work.  At the Golden Globes, Ricky Gervais may not have bored everyone with his offensive jokes, but he did not fit the bill for what they needed in a presenter so they had to pull him off for an hour and he returned with more restraint.  Unfortunately, if you didn’t plan for this ahead of time, you may have to just cut several speeches short and avoid dragging it out.

 5 – There’s no better time to celebrate – Your awards ceremony, gala, or recognition dinner may be invite-only for the recipients and their family/friends.  However, if it’s a corporate event where everyone is invited, there are bound to be people who are upset that they didn’t win.  A company in India, Tata Group, actually implemented a separate awards program for “failures” as “Dare to Try” the year after someone was so upset that his colleagues had to pry him away.  You can celebrate new innovations, even if projects weren’t successful.

Click to get in touchRemember to check, re-chek, test and rehearse for the best results.  Most of all plan for the worst but expect the best.  After all… sometimes, failure is the predecessor of success.  What better time to plan for failures than at an event that celebrates success?

3 Technology Tips That Will Improve Your Next Award Ceremony

Posted on by Eventsforce

champagne-1-750x400If you’re running internal or external awards, conducting employee recognition programs, peer reviews or even awards evenings for clients, the chances are that this won’t be a one-off event, and is most likely repeated on an annual basis. View this repetition as an opportunity! It’s your chance to use your experiences to understand your previous events and programs better, and use what you learn to improve your future efforts.

If this seems like a daunting task, then help is at hand. Technology can be your best friend in creating cutting-edge award programs, fuelling your desire for continuous improvement and allowing you to streamline your processes in the future. We’ve outlined a few ideas below as to how you could benefit.

The idea: Look at the readily available data
The tech: Integrated systems

Registrations, entry forms submissions, the judging process, payments – each of these elements create a wealth of data, and so to be truly effective it’s important you take the time to really drill down into the information. This is potentially a lot of data to get your head around, so if it’s in silos and split across a number of different platforms you’re pretty quickly going to get cross eyed. The whole process will be made a lot simpler if you use a system that integrates each element, creating one centralised point from which you can run all the reports you need.

The idea: Source extra data
The tech: Online questionnaires

When event professionals say they are trying to improve their awards ceremony, what this often boils down to is trying to improve the experience for those taking part, whatever their role. And what better way to do this than to actually ask them what they liked, and more importantly what they thought could be improved.

An effective and cost-effective way of doing this is via an online survey. This will allow you to really understand what worked at your awards ceremony and what didn’t. For example, you’ll be able to find out if those attending found the registration process pain free, if judges found the judging process simple and easy-to-understand, and if people are likely to come back next year. If you don’t get the positive responses you expected, this is a great opportunity to improve. Forewarned is forearmed.

The idea: Listen!
The tech: Social media

Effective awards ceremonies now make excellent use of social media, both before and during the big day. Where many awards organisers go wrong is that once the event is over, the social media focus, monitoring of hashtags and relevant communications also comes to an abrupt halt. This is not the right way forward. Keep checking your social media accounts as they could be valuable sources of feedback. Even if people haven’t tweeted to you directly, keep an eye on those that are using your event hashtag as you may pick up some interesting insights that could help you shape next year’s event. (You don’t have an event hashtag? Well you should! Check out our post on social media and award ceremonies to learn more.)

The ultimate idea: Learn and grow
The tech: All of the above!

Click to get in touchAll of this seemingly tedious data analysis is done for a very good reason: you want to put on a ceremony that is even better next time round. This isn’t just about making sure delegates have a good time, it’s also commercially important. The feedback from stakeholders will be invaluable, so make sure you take on board what they tell you and make them aware that they have a number of ways to give you their feedback, and that their feedback is valued and will be acted upon.

To find out more about how Eventsforce Awards can help you meet and beat challenges like these please click here, or contact one of the team for a free demo.

Social Media: How Best to Use it Before, During and After an Event

Posted on by Eventsforce

calcIf you’re a conference or awards planner, then you’ll already know the nightmare…You have spent all year promoting the event’s brand, tirelessly drawing in new interest, consistently encouraging active participation, maintaining an engaged online community and now it’s finally over. You breathe a sigh of relief only to face that dreadful, jaw-dropping moment when you realise you have to do it all again next year.

Establishing a social media plan that starts on day one and continues until after the event is finished, one that has a jam-packed content plan of post-event resources, is critical to boosting ongoing delegate relationships and most importantly will make your life easier.

Why is Social Media Key to Delegate Relations?

Social media plays a key end-to-end role over the lifecycle of an event and is extremely helpful in engaging the audience’s attention on the day and in securing future interest immediately after.

Using Social Media to Engage Delegates Can Include:

  • Running a hashtag for the event
  • Including separate hashtags for topics and presentations
  • Running polls and instant votes on topics raised
  • Q&As
  • Sponsoring competitions

And lots more. Getting it right turns any fears over filling next year’s conference into excitement for new opportunities to engage with your delegates.

So, where do you start with social media for events?

Create a Community

Use Twitter and Facebook to turn your audience into an active and engaged online community. By using social media right through your event-planning process, including on the day and afterwards, you can generate lasting relationships that will keep people coming back and sharing content. For example, Twitter can be great for sharing sponsor’s slides on the day, and your sponsors will appreciate the extra publicity, helpful when it comes to renewing next year!

If you organise awards, then you will already consider social media to be your best friend. If you aren’t used to creating communities for corporate events however, you may want to consider delegate relations in terms of creating online communities.

It’s best to give one person responsibility for social media management and you may even already have a community manager on your team or someone to take charge for enhancing your event’s outreach.

 Promote an Interactive Audience

Fully interactive events are now the norm with around 70% of event planners using Twitter to promote events and just under 60% using social media right throughout the process.  Carefully chosen hashtags can hugely increase interaction making your event active, lively and memorable. Giving people their say also massively increases the authority of the event and the compelling debate to return next year.

Think Different, Be Different!

Being different and experimental offers something new every time someone attends one of your events and builds your reputation.

If you have never considered experiential marketing during your events, perhaps now is the time to put aside those traditional options and do something crazy. Experiential marketing is about bringing the brand and the audience closer through fun and memorable experiences. Typically, it’s employed in a strategy for grand openings but easily lends itself to events.

Maybe you don’t have the budget to send a man into space like Red Bull’s Stratos jump or like Heineken’s Departure Roulette, which offered free flights to random destinations around the globe and grabbed three million views on YouTube. But there are lessons to be learnt from the experts and big-budget marketing firms. It’s about being daring and letting others see you (or your client) being daring, different and theatrical.

Be Mobile Friendly

Smart event hosts work hard to create a mobile-friendly event, using Twitter hashtags and Facebook posts to drive interaction. It’s particularly great for raising Q&As when someone may not want to stand up and will only then be posting about it later anyway.

People love to cast their votes and have their say on topics so let them vote in live polls. It will be a great icebreaker and generate buzz on the day.

Continue the Debate

Once your event is over, consider taking the major topics or key points raised in the debates and turning them into a post-event debate. You could host a panel debate on Google+ Hangouts with the speakers or event organisers fielding additional questions or counterpoints to the raised themes and discussion points.

Click to get in touchBuilding delegate relationships during and after an event is about maintaining an amazing community of people and rewarding them for being active and engaged participants. It doesn’t have to be a nightmare if you can encourage active participants who share the value in what you are trying to create.

With the right approach and energy, you can keep communities alive and growing for future events.

For further guidance on how to do social media for events, take a look at the related content below, or why not check out our own social media channels?