Tag: data security

Delegate Card Payments & Security Compliance: Questions Answered

Posted on 22nd March 201617th December 2018 by Eventsforce

Enter registration details, make your payment and click submit. It’s the kind of information most event websites ask for. But when your delegate makes a payment, how do we make sure their card details are kept safe? If your organisation is involved in storing, processing or transmitting any delegate cardholder data – manually or electronically – you need to comply with the Payment Card Industry Data Security Standard (PCI DSS). And that means meeting tough standards that maximise your delegate’s payment card security – or face the prospect of fines.

Unfortunately, many organisations don’t bother thinking about PCI compliance until they are due to be audited, which at best, leaves them playing catch-up or at worst, means they fail because they haven’t met the requirements. A recent report by Verizon – which assessed more than 5,000 organisations across 30 countries – found that nearly 80% of all businesses failed their interim PCI compliance assessment. More importantly, lack of compliance was linked to data breaches: Of all the data breaches studied, not a single company was found to be fully PCI DSS-compliant at the time of breach. The study also found 69% of all consumers were less inclined to do business with a breached organisation¹. So the stakes of non-compliance are pretty high.

Last month, Eventsforce conducted its own survey with senior event planners in the UK and the US to assess their understanding of delegate payments and PCI-DSS requirements. The results were quite surprising. Nearly half of those surveyed didn’t know if they were PCI DSS compliant, with 84% not being able to identify compliance requirements and a further 73% unaware of the fines for non-compliance.

So what exactly is PCI-DSS and what do event planners need to know about it? Below are six of the most common questions we come across when discussing issues around delegate payments and data security.

What is PCI-DSS compliance?

If your events are set up to accept payments from delegates via credit or debit cards, then your organisation is obligated to achieving and maintaining compliance with the PCI Data Security Standard. PCI DSS is an information security standard for any organisation handling credit card transactions from the major card schemes, including Visa, MasterCard, American Express, Discover and JCB. The standard was created to increase controls around cardholder data to reduce credit card fraud. It has three basic components which include analysing IT systems for vulnerabilities; patching weaknesses and deleting unnecessarily stored data; and submitting compliance records to banks and card companies (a detailed description of all 12 requirements can be found here).

In the case of events, compliance would mean ensuring that no delegate payment card data is stored unless it is necessary to meet the needs of your event or business. This applies to all types of transactions – electronic (card payments through event website) or manual (card payments over the phone or on-site). If it is absolutely necessary for you to store this information, then you need to know what you can and can’t do. Sensitive data from the magnetic strip or chip, for example, may never be stored but other information such as card numbers (PAN), expiration dates, service codes or cardholder names may be stored if the correct encryption procedures have taken place to ensure data safety (more on this further down).

Isn’t This the Responsibility for My IT/Legal/Finance Department?

Setting policies and procedures around compliance usually is the responsibility of these departments but adherence to these policies is a shared responsibility across any department dealing with delegate card payments – including the events team. In the case of any fraudulent activity involving the payment card of one of your delegates, a bank can easily trace it back to a PCI-related breach to your organisation and hold you responsible. There are considerable fines associated with non-compliance following a data compromise; these can range from ten to hundreds of thousands of pounds. Many non-compliant organisations have stopped trading because the fines could not be accommodated.

Do I Have to be PCI-DSS Compliant?

PCI-DSS compliance does not just apply to the storage of payment card data but also to the handling of data while it is processed or transmitted over networks or phone lines. While not storing credit card data does eliminate some compliance requirements, the majority of the controls dictated by the DSS remain in effect.

One way of simplifying compliance is to outsource the process to one of the many PCI-DSS-certified payment gateways that meet the required standards, such as Stripe, PayPal, Sage Pay and Worldpay, among others. This makes it possible for delegates to interact with the gateway software directly so that card information never hits your own servers. However, make sure you understand how these payment gateways interface with your event management/registration systems. If your event website integrates with these gateways via an API, then you are still liable for PCI compliance since your servers capture and transmit the credit/debit card data first.

Do I Still Need to Consider it if my Payment Gateway is Compliant?

Yes, if you take delegate/attendee payments offline or over the phone. In our event data security survey, 49% of event planners said they take credit/debit card details from their attendees over the phone. This doesn’t help with PCI compliance unless the information is directly entered into the payment gateway system. Even then, are the card details written down somewhere first? If so, do you dispose of the paper? How is the paper disposed and when? Do you email these details to anyone? These are all very important questions you and everyone else on your team need to be very aware of at all times. So make sure you have the correct policies in place and that your staff are trained to follow all necessary procedures that ensure compliance.

What if I do Need to Store Card Details for Some of my Events?

Our survey found that 11% of event planners ask their attendees to fill in card details within registration forms as a form of deposit on possible extras like transport, hotel rooms, dinners, and so on. Some payment gateways like Stripe have a good way of managing this without making your organisation subject to PCI-DSS regulations. At a minimum, PCI DSS requires card numbers (PAN) to be unreadable anywhere they are stored (the first six and last four digits are the maximum number of digits that may be displayed). However, as a general rule, it is not advisable to use registration forms to capture credit card details as it does increase the risk of breach.

What Are the Main Data Security Guidelines for PCI-DSS Compliance?

If you do have a legitimate business reason to store your delegate’s payment card data, it is important to understand what data elements PCI-DSS allows them to store and what measures they must take to protect that data. Below are some basic do’s and don’ts for data storage security:

Data Do’s:

DO understand where delegate card data flows for the entire payment transaction process – from initial registration until the completion of the event.
DO verify that your payment applications (including third-party applications like PayPal) are PCI-DSS compliant. Have clear access and password protection policies and remember, it is your responsibility that compliance is not just met but continuously maintained. Security exploits are non-stop and get stronger every day, which is why compliance efforts should be a continuous process.
DO retain cardholder data only if authorised and ensure it is protected
DO use strong cryptography to render unreadable cardholder data that you store, and use other security technologies to minimise the risk of exploits of criminals

Data Don’ts

DO NOT store cardholder data unless it’s absolutely necessary – delete all data as soon as you know that you no longer need it. Never print or email this information.
DO NOT store the 3-digit card validation code on the back of the payment card on paper or any digital format.
DO NOT store any payment card data in unprotected devices such as PCs, laptops or smart phones
DO NOT permit any unauthorised people to access stored cardholder data

Summary

Understanding and implementing all the requirements of PCI-DSS can seem daunting, especially for those without security or large IT departments. However, PCI DSS mostly calls for good, basic security. Even if you don’t have to be PCI-DSS compliant, the best practices we mentioned above are steps that any organisation running events would want to take anyway to protect sensitive delegate data.

For further advice and guidance on event card payment security, please contact our friendly team on 0207 785 6997 or fill in our enquiry form here.

¹ 80 Percent of Businesses Fail Interim PCI Compliance Assessment

INFOGRAPHIC: How Safe Is Your Event Data?

Posted on 15th March 201617th December 2018 by Eventsforce

There have been a number of high-profile data breaches over the last year and though there have been no major incidents involving the events industry, it is definitely something we need to prepare ourselves for. Events deal with highly sensitive customer information, including names, emails, telephone numbers, employment information, disabilities and so on. Ensuring this data is kept in a safe place is critical not just for delegates, but for any organisation storing this information.

Last month, we conducted a survey with event planners in the UK and the US to highlight some important trends around this issue. The results have been very insightful.

The study, which was conducted across 50 organisations in the UK and the US, revealed that 80% of event planners marked data security as a top priority for 2016 yet only 40% felt they had the adequate security policies in place across their organisations.

The survey exposes key areas – like password hygiene, delegate payments and regulatory compliance – where event planners need to put greater attention to in order to prevent data from getting into the wrong hands. For example: The survey found that 81% of event planners do not change the passwords to their event management systems as often as they should (less than once a year) and a further 33% claim to have shared their passwords with other people. This increases the risk of a breach and makes it difficult to accurately identify who has access to the system at any given point in time.

For a more comprehensive look at these insights and some of the other findings from the Eventsforce ‘How Safe Is Your Event Data’ survey, please download the infographic below:

Top 5 Things to Think About When Dealing with APIs

Posted on 15th February 201617th December 2018 by Eventsforce

Many experts are predicting 2016 will be the year of APIs and integration for the events industry. The concept has been around for a while but is gaining momentum as more and more organisations see the benefits of integrating their event data with other systems. If you’ve already worked with APIs, then you know why they are important. But some of us may well be wondering: What are APIs and why should I care about them?

Simply put, an API – or Application Programming Interface – is a way for two pieces of software to talk to each other and exchange information. For example, when making a purchase online, the website sends your credit/debit card information through an API to another application, which confirms that the details you have provided are correct. You can think of it as a piece of software that functions as a door or window, if you want. From the perspective of an event planner, it’s the mechanism that allows your event management system to share data with your event app. Or it’s what allows your registration software to share delegate details with your Salesforce.com CRM system. Or even payment confirmations to your finance package.

Top 5 Considerations When Dealing with APIs

Integrating your event management software with other business systems within your organisation will bring you a host of benefits (see our blog post: Why is Integration So Important for Your Events). A well designed event app, for example, is one that integrates with your event management system to offer real-time accurate content, not just during the event, but before and after as well. Central to this design is figuring out which systems needs to talk to each other, which fields within the app need to be updated and how often this needs to be done. And this is where APIs come in.

1) Putting the Right Data in the Right Place

When integrating your event management system with other applications, you need to decide how the API will pull and share information between the two systems. So if you’re integrating your registration software with the Salesforce.com CRM solution, you should decide which questions from your registration page (names, address, telephone numbers) should be updated in Salesforce and vice versa. This ‘field mapping’ process is important as it ensures that the right data goes into the right field of each system. So your event app, for example, may use ‘preferred names’ for addressing delegates but your event registration system records first, last and preferred names. By mapping the ‘preferred’ name field between the two systems, the API ensures that the app addresses the delegate as his preferred name ‘Johnny’ – instead of his full name, John Smith.

2) Choosing the Direction of Your Data Flow

The next thing you need to decide is whether this sharing of information is a one or two-way process. With event apps, the flow of information is usually one way where data from the event management system – like event agendas and delegate schedules – is pushed into the event app. With CRM, finance or membership systems, it makes more sense to synch data in both directions. So you’ll be able pull invitations lists from your Salesforce directly into your event management system – similarly, any changes to a delegate’s profile will automatically be updated in Salesforce.

3) How Much of Your Data Should You Share?

Another thing to consider around your API is the filtering of your event data. By default, your API may expose all your data to the integrated systems. Your finance team, for example, may want access to all your event data but your event app may only need access to data around one particular event. You may want to create one app for your exhibitors and another for your delegates – by setting the right filters within your API, you can make sure that only relevant event data gets shared with your other integrated systems.

4) How Often Should You Synch Your Systems?

This is an important question that can determine your API ‘pipeline’. Mobile apps, for example, consume a lot of data from event management systems, especially on the day of the event. That data needs to be constantly refreshed to ensure delegates have access to up-to-date information around the event. Finance or CRM packages, on the other hand, have a low but constant usage of event data. Data synching in this case can be set for once a day. Your event tech API provider may charge you for the amount of data you are consuming between your different systems or they limit the amount of data you are running through your API – so make sure you choose one that won’t limit your data use.

5) Determining Data Access & Security

Once you have decided which systems to integrate with your event management solution and set the parameters of your API, you (or your system administrator) can obtain an API key – often used instead of usernames and passwords. This key is one way of enabling integration by providing your event app and other third party applications access to your event data, and vice-versa. It comes in the form of a computer-generated password that can be revoked (changed) if lost or compromised. If you don’t revoke it, your event data is vulnerable as it is left exposed to anyone who has access to this key.

Make sure you know who has access to your API key and try and limit the numbers. When you do need to share it with other technology suppliers (like an event app provider), do so by phone instead of email, as it’s more secure. Also, if you’re integrating with more than one system, make sure you have separate API keys for each integration. This way, if one of your API keys gets lost or exposed, you can revoke the key (which disables the integration) and set up a new one. If you have one API key for all your integrations, then you break all the integrations at the same time, which can result in some costly downtime until you’ve sorted it all out.

Conclusion

Taking time to make these key decisions around your APIs will determine the success of your integration. While most event tech vendors provide APIs for their software, many also have established partnerships and API integration capabilities with tried and tested software solutions (Salesforce.com, Sage, Insight Mobile). This is helpful as you’ll be able to get things up and running without investing the time and money into any coding work that allows data to be pulled from one system to another. And if these API relationships don’t exist, there’s no need to reinvent the wheel. By making sure your suppliers can provide you with the necessary advice, recommendations and workflows for integration means the whole process can take as little as a few days at a fraction of the cost.

Get to know Eventsforce’s integration and API system, plus how it can unlock the true value of your event data, by clicking here.

Written by Paul Harris, Eventsforce

New EU/US Data Sharing Deal: What Event Planners Need to Know

Posted on 8th February 201617th December 2018 by Eventsforce

Last week, the EU and the US finally struck a new deal on data sharing designed to protect EU citizens’ data when transferred across the Atlantic. The so-called ‘Privacy Shield’ deal replaces the ‘Safe Harbor’ agreement that stood for more than 15 years before being struck down by a court last October. The decision left thousands of businesses – especially those reliant on the cloud – scrambling to figure out how to legally operate data transfers, while US and EU regulators spent the last three months hammering out the terms of Privacy Shield. But there are already questions being raised about the new agreement. The language used in the official announcement is woolly at best and there are fears that the deal has a number of flaws which can raise further legal challenges in the future[1].

So how is this relevant to the events industry? Events deal with highly sensitive delegate information – from names, addresses and employment information to things like gender, disabilities and dietary preferences. Up until last year, the pact made it relatively easy for any company hosting events to legally store EU delegate information in US data centres. However, with the absence of Safe Harbor and a general lack of certainty around the new deal, there is still little to prevent European Data Protection Agencies from taking enforcement actions against companies suspecting of breaching European law. Storing EU delegate data in the US can still put organisations at risk.

What Was Safe Harbor?

The Safe Harbor agreement allowed US companies to transfer European citizens’ data to America, provided the location it was being sent to had the privacy conditions that met EU standards. It was first put in place in 2000, because the US does not have one single federal law regulating data storage. Its constitution does offer some protection to US citizen data, but it provides no assurances for foreign citizens. It is an important agreement for thousands of companies operating in Europe.

Why Was the Agreement Ruled ‘Invalid’?

When former National Security Agency (NSA) contractor, Edward Snowden, made revelations in 2013 about the US surveillance system, an Austrian student filed a complaint against Facebook to the Irish data protection authority. He claimed Snowden’s claims confirmed that Facebook wasn’t sufficiently protecting user data as the NSA was carrying out mass surveillance on technology companies. The case went all the way up to EU’s top court, which in October 2015 said that the Safe Harbor agreement was no longer valid because US public authorities were able to access EU citizen data and individuals had no means of getting any compensation for any misused data. Since then, the US and EU have had to renegotiate a new data sharing agreement that allows data flows across the Atlantic to continue without breaking the law.

How is New Deal Different?

Under the terms of the new deal – which are still being negotiated – the US will give an annual written commitment that it won’t indulge in mass surveillance of EU citizens, and this will be audited by both sides once a year. US companies wishing to import EU citizens’ data must also give robust obligations on how personal data is processed, and comply to the same standards as European data protection laws. But there are already fears that the deal may be too broad for some to swallow. Ashley Winton, UK Head of data protection and privacy at lawyers, Paul Hasting LLP said: “The results of months’ worth of negotiation appears weak, and if adopted we are likely to see further legal challenge in the European courts” [2].

Why Is This Data-Sharing Deal So Important for Your Events?

If you are hosting events in Europe, find out where your delegate data is being stored – if you don’t already know. If it’s within the EU, then you shouldn’t have any concerns. If it is in a US data centre, you need to make sure that you have the correct mechanisms and methods in place to legally transfer data to the US from Europe. This not only applies to the data you store within your organisation but more importantly, the third-party IT systems that also have access to your event and delegate data. This includes vendors that supply you with registration systems and event apps to business systems like CRM and finance packages that may be integrated with your event management software.

Find out exactly how these organisations are safeguarding your delegate data and keeping it private. Find out where they are storing your data – especially from those US-based companies who are heavily reliant on the cloud. There are many cloud providers which operate solely within the bounds of the European Union, but there are many out there who operate through their large data centres in the US – which would mean the new ‘Privacy Shield’ deal applies to them. Find out the physical location of their cloud servers. Find out if they contract their support services outside the EU. Find out who has access to your delegate data, and what kind of security policies they have in place. Find out if your data is encrypted and whether or not they adhere to EU Data Protection regulations. Solutions could involve drafting new contractual agreements with delegates, encrypting US servers and building EU-based servers and support centres.

The Road Ahead

The uncertainty around the new deal may still mean that the movement of data from the EU to the US can become a legal matter if EU delegates have grounds to believe their consent for data storage and usage has not been agreed. Companies may be able to transfer data if they have free and informed consent of users and this gives event planners another thing to think about before moving their data outside the EU.

As the terms of the new, safer ‘Safe Harbor’ get ratified by EU members, the current legal limbo may close up soon enough. Last month, the US passed the Judicial Redress Act – a necessary step to achieving the new deal – which provides a path for EU citizens to sue over privacy complaints in the US. However, it also passed a last minute Republican amendment that provides for an exception on national security grounds – which undermines the entire point of the whole measure. So as it stands, there are still no guaranteed assurances for businesses wanting to export data from Europe to the US right now. What we can be sure of is that the ending of Safe Harbor and the announcement of Privacy Shield should pave the way for a new era in transparency from companies on how they use customer information and how we define data ownership.

Written by Steve Baxter, CTO, Eventsforce

[1]The Register: Safe Harbor ripped and replaced with Privacy Shield in last-minute US-Europe deal (includes comments from former Gartner Vice President, French Caldwell)

[2]The Register: Safe Harbor ripped and replaced with Privacy Shield in last-minute US-Europe deal

Source: CNBC ‘US and EU in data privacy clash: what you need to know’

Eventsforce #Techsperts: Event Data Security and Integration Top Technology Priorities

Posted on 14th April 201525th August 2016 by Eventsforce

Each month, we highlight a ‘Techspert’ from our team and take a closer look at their
background and experience in the events industry. This month we’re focusing on our CTO Steve Baxter…

What is your area of expertise at Eventsforce?

I’m the Chief Technical Officer for Eventsforce. My team and I look after the technical side of the business – product development, operations, technical support, training and client services. My background is software design and engineering, but I love getting involved across the business to ensure we deliver great products and services. I first started working with Eventsforce as a consultant in 2012 – when I was asked to join as a director in 2014 I jumped at the chance!

Tell us a little about your background in the events industry

Before Eventsforce my experience of events was mostly as an attendee – I spent 15 years building software for life science research, and went to a lot of scientific conferences. The last 3 years have been an amazing learning experience, the variety and complexity of the events industry is beyond anything I had imagined. It makes life very interesting as a software engineer in this business!

What recent tech development do you think has impacted the industry the most?

Mobile technology is having a huge impact – the ability to access event information (and even manage an event) while on the move has been a massive shift. Event apps have a valuable role to play (particularly for offline content or “active” features such as push messaging), but as connectivity becomes more and more ubiquitous at events I think responsive websites and web apps that work brilliantly across a range of screen sizes from smartphones to desktops will become the norm.

What are your predictions for the future of event technology?

It’s all about the data. Whether you are a membership organisation running events for members, an event agency running events for clients or a corporate running events for employees or customers, you need to measure your event ROI and show how your events are contributing to your business goals. High data quality, cross-event reporting and integration with other parts of the organisation are key to that.

I also think data security will continue to be a big issue. 2014 saw a record number of vulnerability disclosures – Heartbleed and POODLE were two that were covered extensively in the media, but there were many more. So far there have been no breaches involving the event industry (or at least none that have been publicly reported), but it’s likely to be only a matter of time. Security hardening (to prevent breaches) and data segregation (to limit the loss when a breach happens) will become more and more important.

Top Tips for Saving Your Event Data from Disaster!

Posted on 8th September 201315th January 2016 by Eventsforce

By George Sirius, CEO, Eventsforce

Watching the news most evenings will show that the world in which we live can be a very fragile place. As well as the tragic human suffering that occurs, natural disasters, as well as terrorist actions, crippling weather conditions and civil unrest, can place a great strain on businesses of all types, especially in these complicated economic times. With data now arguably regarded by many event professionals as a key strategic asset, now is the time to consider how to save your event data from potential disaster, and ensure that your event data plan can be regarded as a strategic asset.

1- Discover what event data you own

It is rare for any organisation to hold all of their information in one central depository. Instead, the reality often encompasses several different databases, legacy systems, Excel spreadsheets and Access databases. Not all of your information will be electronically stored. What is in your filing cabinets, paper records, and the minds of your employees? Also, don’t forget the information held in laptops and other mobile devices.

2 – Formulate an event data recovery plan

Begin by defining what is the most important information needed by your business to run your event effectively, and how quickly this needs to be recovered. This could take the form of emails, applications, databases etc. Determine who within the organisation needs to decide when to implement the plan, and how notice of a disaster will be communicated to delegates, venues, speakers, suppliers and other relevant parties.

3 – Keep your plan current

Things change rapidly in business, and there is nothing more rapid changing than the relevance and quality of your event data. Ensure that on a regular basis someone has the responsibility to investigate if your recovery plan is still relevant and if new event data sources should be added to the plan. Make sure that there is a way of regularly evaluating what event data your organisation holds too.

4 – Test your plan regularly

A disaster plan is by its very definition likely to be implemented under times of stress and confusion. Therefore, it is important that you run full and regular tests of your plan which include both recovering and making ready for use all data and systems that you require. Regular testing will also make for a more efficient recovery process as people become more familiar with what is required of them, and gives you the opportunity to improve the plan before any disaster occurs.

5 – Back-up your event data off-site

Many disasters such as flood, fire or terrorist action may destroy entire buildings so backing up your event data on-site may not be such a good idea. Make sure that your data is backed up off site, somewhere safe and secure, and that it can be transferred back to you securely and quickly in times of crisis. Many companies perform this sort of back-up once a day, but for critical data, it may be worth adopting some sort of ‘continuous data protection.’

6 – Check your back-ups

Whether you are using tape back-up or disk systems, it is important to make sure that your back-ups are actually working effectively on a daily basis. Back-ups should be checked to ensure they fully replicate your data, and in a way that can be effectively retrieved. There is no point having your event data backed-up if, come an emergency, it cannot be retrieved.

7 – Consider mobile devices