Tag: educational institutions

5 Easy Ways of Securing Your Event Data

Posted on by Eventsforce

Untitled design (17)Data security is increasingly becoming top of mind and making headlines as it continues to impact businesses around the world. Just about every week, there is a fairly major cyber-security event that gets talked about in public – and there are many more that don’t get talked about. It is a major problem for any organisation that has valuable information to protect (which means most companies these days) – especially for those involved in the world of events.

We have talked a lot about the issue in the last couple of months, addressing things like the kind of data security questions you should be asking your event management solution provider and some of the considerations you need to take when dealing with delegate card payments.  Most event planners will also be following their own organisation’s security policies when it comes to storing and sharing event data – from communication procedures to firewalls, encryption and anti-virus software.

However, while IT focuses on outside threats, there is also an element of risk lurking from within.  Over 40% of data loss1 is the direct result of internal threats which come about from staff mishandling data – whether intentional or unintentional. In fact, our event data security study exposed a number of important vulnerability areas – like staff password hygiene, email communications and data storage –  that event planners should be putting greater attention in order to prevent data from getting into the wrong hands.

Have a look at the following best practice guidelines that can greatly improve security around your event and delegate data:

Don’t Put Anything in Email That You Wouldn’t Put on a Postcard

ID-100354956Email communications is one area of vulnerability. Our study found that 65% of respondents emailed their event data (attendance reports, registration lists, invoice reports) to third parties or other departments within their organisation after downloading the information from the event management systems. Another 36% admitted to having emailed their API key – a form of authentication that allows third party systems like event apps to access data saved in your event management systems.

The truth is that it is difficult and cumbersome to encrypt data in emails from end to end – so you should always think about what you are sharing on email.  Check before sending that you have the right recipients and encrypt data within if necessary. If you don’t need to email it, don’t.  For example, when confirming registration details with your delegates, don’t include all their details within the body of the email but instead, include a personalised link that will lead them directly to their registration page on your event website. Equally, never email your event system API key(s) to ANYONE as this could expose your data to anyone who has access to this key.  If you need to share it, do so over the phone.

Be Smart About Your Passwords

Data SecurityMore than 500 million records of login names, passwords and other ID information went astray in the last 12 months, according to a report this week by security firm, Symantec2. It sounds pretty obvious but you would be surprised with the number of people that ignore the importance of passwords. Our survey found that over 80% of event planners don’t change their event management system passwords as often as they should (less than once a year). Another 33% claim to have shared their passwords with other people.  This widely increases the risk of breach and makes it difficult to accurately identify who has access to the system at any given point in time.

Using strong passwords, NOT sharing them and changing them once every three months can greatly improve security around your event data.   The problem is that the human brain can only remember so many passwords, not to mention we’re actually really bad at picking good ones. So, too often we just reuse passwords across multiple sites. This is an issue because so many of us use the same password for our work and personal accounts like Facebook, Google and online banking.  Be creative: think of a special phrase and use the first letter of each word as your password. Substitute numbers for words or letters. For example, “I want to see the Eiffel Tower” could become 1W2CtEt.

Another solution is to use a password manager, a software tool for computers and mobile devices, which will pick random, long passwords for each site you visit, and synchronise them across your many devices. Two popular password managers are 1Password and LastPass.  You can also use a Single Sign-On (SSO) system, which allows you to control access to your event management software using your authentication servers (e.g. Microsoft Active Directory) – so passwords are never submitted to your event system and access can be controlled centrally by your organisation. If someone from your team leaves their job, then their access to all systems can be cut off from one place.

Share Only What is Necessary

The study also revealed that an overwhelming 89% of event planners downloaded the data in their event management systems to external spreadsheets, with a further 81% sharing it with colleagues and other departments by printing or email.  As well as following your organisation’s policies on how to securely share and dispose of data, you can also reduce security risks by integrating your event management system with some of your other back end systems like finance, CRM and marketing.  The integration will allow for automatic updates on both systems whenever you need to make any changes, eliminating the need to download, print or email event data to other departments within your organisation.

For example, integration with your company’s finance system will allow you to automatically update delegate payment details into your finance system and vice versa without the need for printing and emailing reports and manually transferring them from one system to another. Event invoices, credit notes and received payments can be all be generated and sent from either system. This saves time and more importantly, vastly reduces the security risks associated with email communications and having printed documents lying around.

Know Your Personal Vs. ‘Sensitive’ Personal Delegate Data

Our study found that there was some confusion differentiating personal and ‘sensitive’ delegate data.  Personal information can include things like names, addresses and phone numbers.  However, sensitive data is any information relating to the delegate’s racial origin, political opinion, religious beliefs or mental and physical well-being.   The survey found that 40% of event planners didn’t think race and religion was considered as sensitive and only 26% thought dietary requirements (which may indicate religious inclinations) as sensitive.

Why is this important? EU Data Protection regulations require extra security measures when dealing with ‘sensitive’ delegate data – as this information could be used in a discriminatory way and is likely to be of a private nature.  Most registration forms will have a question asking delegates if they have any additional requirements.  This may include things like dietary requirements or the need for wheelchair assistance. Storing this ‘sensitive’ data means you must comply with the Data Protection Act from the moment you obtain the data until the time when the data has been deleted, overwritten or securely destroyed (e.g. shredding, incineration or pulping).

Don’t Forget About ‘Offline’ Security

As a general rule, try not to store any of your event data in any physical form (print or external hard drives, USB drives etc.) as this greatly increases the chance of it getting into the wrong hands.  If you are, invest in secure cabinets, fit locking doors and ensure you have the proper mechanisms in place to dispose of this data if you need to.  At your events, don’t leave your registration lists, laptops and smart phones unattended and ensure that event data on your screens are not visible to unauthorised users.  Be cautious when discussing details over the phone and avoid discussing sensitive information in public areas where you can be overheard.

Lastly, make sure your employees understand how important your event data is and all the measures they can take to protect it. Encourage security awareness among your staff, training them not to leave sensitive material lying around and to operate a clear desk policy – both at the office and at your events.  The ultimate goal is for everyone, at every level, to believe that data security is critical, understand the policies and procedures for achieving a secure environment and ensuring these are followed every day.

Written by Steve Baxter, CTO of Eventsforce

1 Information Week: Insider Threats: 10 Ways to Protect Your Data

2 BBC News: Security snapshot reveals massive personal data loss

 

60-Seconds with University of St Andrews

Posted on by Eventsforce

Scott_Francis_University_of_St_Andrews_2Scott Francis is an event manager at the internationally renowned University of St Andrews – the oldest university in Scotland.  His team is in charge of managing more than 250 events each year ranging from large conferences that gather around 1,000 delegates to summer schools, weddings, gala dinners and student balls. 

EventTech Talk had a chat with him to find out about some of Scotland’s best restaurants and venues, his worst event nightmare and his best piece of professional advice:

How long have you been working in events?

I have worked at the university for 15 months, but worked in the events industry for 6 years before that.

Where is your favourite venue for events?

The Assembly Rooms on George Street in Edinburgh, Scotland is absolutely beautiful and a fantastic size.

What is your favourite restaurant?

A small tapas restaurant in Broughty Ferry called, Sol y Sombra. The food is wonderful and the staff are all so professional and friendly.

What would you say is your biggest challenge when planning an event? 

I would have two equally big challenges: The first is short lead time with an event. The second is an unreachable client – a lot of academics have a lot of work on their plate so they’re not always in their office!

What has been your biggest event nightmare?  

I was the manager of the operational team for a large gala dinner in my previous work, and the client was told the maximum number of guests allowed was 590. The day before, we were informed there were 626 tickets sold which meant another 3 tables had to be situated in an already full space. And to make matters worse, none of the guests had received their pre-order wine forms! So the one very small bar for the function was rammed!

How do you relax after an event?

I like to bring my duvet to the sofa and watch endless Netflix.

Mobile app you couldn’t live without? 

WhatsApp Messenger

New technology you’re looking forward to using one day (drones, holograms, AR/VR)? 

How amazing would it be to have a key note speaker in hologram form presenting from somewhere else in the world!?

Click to get in touchIf you could have one superpower, what would it be? 

To stop time!

What has been the best piece of advice someone has given to you? 

My old boss once said everything happens for a reason. Everything that is sent to test you, teaches you something new and you learn everyday.

 

 

Why Hiring Students for Your Events is a Good Idea

Posted on by Eventsforce

Untitled design (14)

 

 

 

 

 

 

 

 

 

 

 

Many of you have probably read how the role of an event coordinator has been ranked as the fifth most stressful job of 2016.  In fact, the only jobs ranked more stressful were enlisted military personnel, firefighters, airline pilots and police officers. Whether or not you agree with these findings, there is no doubt that working in events is not something that everyone is cut out to do.  It takes determination and experience (as do most jobs) and a good mix of communication, creative and time management skills to be successful.  Many in the industry believe that these skills can’t be taught.  That we don’t need academic degrees in event management.  That experience is what matters most.  But not anymore.

Perceptions around whether or not we need qualifications in the industry are changing. In January this year, the UK government recognised the importance of the events sector by forming the country’s first Event Industry Board.  Meanwhile, the president of MPI (Meeting Professionals International) has called for new standards regarding the certification of event professionals.  There is also a growing trend in big corporate institutions investing heavily in executive certificate programmes and post graduate event management courses for their events staff to keep them updated on the latest processes and methodologies of this fast-paced industry.

Whichever way you look at it, a qualification in event management is a lot more relevant today than it was five years ago. Modern universities like Coventry University are offering courses that combine academia with experience, helping create a new generation of event professionals that already have proven skills in project management – from briefing and planning to on-site management and post event evaluation.  They have worked on real projects with real clients and are certified in the latest event management software. Even before they graduate, these students are able to provide important support on many aspects of an organisation’s event. So why not work with them?

What Can the Event Management Student Do for My Organisation?

Untitled design (12)Students today are very willing to take on any opportunity that can provide them with experience in the industry.  Meet and greet is probably the best place to invest in students – especially for those organisations who can’t afford specialist agencies. Many of our students man events like the Liberal Democrats party conference, where they are in charge of meet and greet, registration and other client-facing activities.

Placement schemes are another option. These can last up to a year and provide a cost effective way of hiring someone to do a specific job.  Our students do placements, and volunteering opportunities with organisations like the British Council. By working as part of their events and logistics teams for the ‘Going Global’ conferences, students have been able to work in places such as Dubai, Miami, London and Cape Town in 2016. The work they do includes building event websites, managing registrations, meet and greet, coordinating conference sessions, as well as running live reports and providing post event analysis. The feedback we get from these organisations is always positive and many decide to hire the students on a permanent basis once they graduate.

You can also look at internships.  These are usually unpaid positions that focus on short-term projects that can range anywhere from 4-12 weeks.  This can be a good opportunity to get someone to do important tasks that you may not have the resources for, such as conducting research on your competitive landscape, evaluating your social media performance or doing some post-event analysis. A lot of our graduate students choose to focus their dissertations on evolving areas in the industry such as wearable technologies and cashless events – organisations could suggest topics and work alongside these students for their own research and marketing purposes.

Where Do I Find Students That Add Value to My Events?

If you decide that working with an event management student makes sense for your events, the next step is to figure out where to find suitable candidates. There are a number of universities and other higher education institutions that offer comprehensive courses in event management, but the ones that stand out have some of the following attributes:

Industry-Driven Modules – Event management is still a very young, dynamic and fast changing industry.  Look at institutions that regularly consult with industry experts in creating their modules. Find out how often they expose their students to the industry through lectures given by event professionals, field trips to industry events, course works involving real events and projects, as well as opportunities for practical work experience. Find out what proportion of students are in full-time work six months after graduation – as this gives a good indication of the institution’s reputation and academic standard.

Staff with Industry Expertise – A combined staff of academic lecturers and industry experts (event professionals across corporate, PCOs, associations and government) provides students with a good balance of theory and practical insights.

Industry Partnerships – Find institutions that have dedicated employment and placement schemes with reputable companies. At Coventry University, students have done placement schemes with British Council, Schroders, Bank Sadler and BP and many have travelled to international destinations like Dubai, Cape Town, Berlin and the US for practical hands on experience.  Read through the testimonials of these organisations and find out what they say about the students and their abilities.

Technology Focus: Technology is such an important aspect of events now that any knowledge on the subject can add real value to what a student can offer to your event. Second year students at Coventry University, for example, need to pass the Eventsforce certification programme, which teaches them how to use the event management software to build event websites and registration forms, build agendas, manage sessions, link sites to social media and pull different types of reports.

 How Do I Choose the Right Student?

Once you have made a selection of the universities you would like to approach, the next step would be to select your candidates.  You can start by meeting students at university career days or take one step further and conduct an assessment centre – this is when a group of students are given a task and they are rated on how they react, who takes the lead, how interactive they are, as well as their overall performance on achieving the set objectives.  You can also get the university to make you a shortlist of their top students.

Once you have your shortlist, then you can assess your candidates on the following attributes:

  • Presentation and content of CV
  • Proven event experience (local or international)
  • Likeability, communication and networking skills
  • Knowledge of event technology
  • Social media presence (views/opinions)
  • Blogs (many students blog about their work experiences)
  • Research skills (eg. social media or industry analysis)
  • Industry recognition (eg. MyEvent.Vision award or the Vanessa Cotton scholarship)

Click to get in touchGood luck!

Ian Webster is senior lecturer and creator of the Event Management Honors Degree at Coventry University, which was recently ranked as UK’s number one university to offer a degree in event management (Guardian 2016 Subject League Tables). 

If you would like to get in touch, please email him at: bsx941@coventry.ac.uk

 

 

 

 

 

Why Your Events Could Benefit from Multilingual Websites

Posted on by Eventsforce

Choosing which event to attend is no longer restricted by borders and time zones, as delegates are increasingly happy to travel further afield for the right event. They are spurred not only by the abundance of cheap flights and budget accommodation, but by a real desire to learn about the latest innovations, best practice guidelines and the opportunity to network and share ideas with colleagues and peers from across the world.

But are we doing enough to reach delegates beyond our country’s borders?  A study by the European Commission in 2011 revealed that 90% of Internet users in the EU, said that when given a choice of languages, they always visited a website in their own language. A similar survey by the Common Sense Advisory in the US also found that 72% of consumers were more likely to buy a product or service online if the information provided was in their native language1. With this in mind and the fact that most people now research for events online, doesn’t it make sense for your events to have multilingual websites?

Why Multilingual Websites Can Boost Your Events

Untitled design (13)Multilingual sites today present one of the most cost-effective ways of marketing your events, attracting new delegates, building relationships with them and giving your organisation an international outlook:

  • Shows You Care – It doesn’t take much effort to create a multilingual website (more below) but that extra effort shows your delegates that you care about them and are considerate of their needs, which makes them more likely to book onto your event. We all know that personalisation is important to our delegates and what could be more personal than talking to them in their own language?
  • Builds Trust with Your Delegates – Trust is an important part of doing business. Trust in an event and the event organiser is even more important if a delegate is travelling from abroad. Communicating with these delegates in their native language helps them feel secure, understand what they are buying and who they are buying from.
  • Helps You Stay Ahead of Your Competitors – Make no mistake, your event has competition. Whether it’s from other events, alternative ways of spending budgets or time constraints, your delegate needs to make difficult choices. If they only go to a few events a year, you need to make yours stand out. Offering a multilingual website will give your event a competitive edge by demonstrating to delegates that your organization thinks, works and deals internationally.
  • Improves Search Engines Optimisation – Search engines lead people to your site. While it’s tempting to view Google as the only search engine that matters, in reality this isn’t the case as in many countries, such as France, Japan and China, Google is not the default search engine. Baidu is popular in China, Acara in Japan and Voila in France. Such search engines are a key to tapping those markets unless they have access to a particular language though your multilingual event website, then your event will not be found. In addition, search engines like Google are developing the capacity to run searches in foreign languages.  Having your website available in those languages helps to ensure it will be picked up in searches.

But the Internet is in English

If you assume your delegates speak your language well enough to skip the translation step, you’re wrong. Today only 35% of the Internet’s content is in English, and this number continues to diminish. Russian, Spanish and Portuguese, for example, are continuing to trend upward with no sign of slowing down.  If you are targeting delegates who speak these languages, it is worth considering translating your content to better reach and connect with them. And while other languages like German, French and Japanese are trending down, they still represent such a large portion of the online community that it is worth thinking through your targeting approach to those markets as well1.

It’s a Lot Simpler Than You Think

Having the ability to communicate to a whole new international audience in their own language will undoubtedly bring results not only in a financial sense but also in terms of marketing and creating awareness of your event. And luckily, creating these multilingual event websites isn’t a complicated process if you consider the following basic requirements:

Make Sure Your Event Technology Supports It – Most event management or registration software these days offer a multilingual module, which allows important pages on your event website including those for registration and agendas to be displayed in several popular world languages of your choice.  By providing tools that allow you to automatically translate things like website headings, button texts, warning messages and email communication, the software helps you copy templates from one language to another in no time. Organisations like the British Council do this with their in-country events and the system has proved to be very successful.

Make Sure You Have the Necessary Staff Resources – If it’s a simple event website with a registration form that collects basic delegate information (name, country and contact details), then having staff that can speak the language isn’t entirely necessary as you can manage most of it through an online translation service like Google Translate. In most cases, however, you will need to have someone on your team who has a working knowledge of the language to oversee all translation requirements and more importantly, manage all delegate communication – from sending registration confirmation emails, making changes to agendas and managing requests.

Click to get in touchIf you don’t have the staff resources, then there are other affordable options.  You can hire a freelance translator through services like Upwork and Fiverr, that offer hundreds of talented and reliable people to work with. Alternatively, you can also use an online translation service like Unbabel, that combines artificial intelligence with crowdsourced human translation to deliver fast and high quality services to companies who want to reach international markets.

Written by Lynda Browne, Client Loyalty Manager, Eventsforce

1 Unbabel: Top Languages of the Internet, Today and Tomorrow

 

Top 8 Security Questions to Ask Your Event Technology Provider

Posted on by Eventsforce

Data Security

 

 

 

 

 

 

 

 

 

 

 

Many of you have read the scandalous stories we saw in the headlines last year regarding major security breaches at companies like Talk Talk and the Ashley Madison dating site.  Cyber hackers raised their game with millions of people having had their private data stolen and national governments scrambling to combat the growing threat of cyber-attacks. Now imagine your organisation’s systems got hacked and exposed the personal details of the hundreds (or thousands) of delegates attending your events each year.  Doesn’t really bear thinking about, does it?

Events deal with highly sensitive customer information, including names, emails, telephone numbers, employment information, disabilities and other confidential details. The wealth of information we collect from our delegates is a gold mine for hackers.  Safeguarding this data is critical and more and more organisations are starting to see the importance of this issue. Our new data security survey found that 80% of event planners marked data security as a top priority for 2016.  Surprisingly, however, only 40% of them felt they had the adequate security policies in place across their organisations.   In fact, according to MPI members at last month’s MPI European Meetings & Events Conference, event planners were said to be lacking awareness on the topic of cyber security despite the global terrorism threat1.

So how do we address this issue of event technology security?

Most event planners these days deal with some form of event registration technology that helps them manage all their event and delegate data.  The software captures, manages and stores a lot of the sensitive data we mentioned earlier – so it makes sense to start there. Have a look at the data security policies of your event tech provider.  Are you confident they have the right processes in place to safeguard your data? Are they doing everything they can to minimise the risk of breach?

Here are the top 8 data security questions you should be asking your event tech provider today:

How is My Event Data Protected?

Maximum protection of your event data should probably be your event technology provider’s top priority.   You want to ensure that your event data is fully secure and protected by a comprehensive recovery system.  The first step in achieving this is the use of strong industry-standard encryption, like HTTPS and AES, which helps protect your data from prying eyes and can provide you with assurance that it hasn’t been modified in any way. Find out how your data is encrypted both at rest (when stored in servers) and in transit (when accessing data from your event management system over an Internet network). ID-100354956

What Data Security and Safeguarding Policies Do You Have in Place?

Find out where your database is stored, how it is stored and how often they back it up – the more often, the better so that no changes can be lost from your database if restoration is required. In the case of a breach to their own servers, find out what response plans they have in place to protect your data.  Find out what security policies they have in place within their organisation – how do they protect their own data and how do they meet regulatory and legislative requirements?  Who has access to client data, how do they handle authorisation and what happens when someone leaves? How do they share client information (email/phone) and where they do they store this information?

 How Can I Ensure Secure Access to my Event Management System?

All major event management systems manage access via username and password authentication.  However, you can also manage access using an external authentication service, which can restrict access for certain individuals to particular functions (e.g. abstract reviews) or particular events. Find out if your event tech provider can integrate your event management solution with a Single Sign-On (SSO) system. This will allow you to sign in using your company’s existing corporate authentication infrastructure – so passwords are never submitted to your event system and access can be controlled centrally by your organisation. If someone from your team leaves their job, then their access to all systems can be cut off from one place.

SSO improves security by giving you the choice to restrict event websites and registration to internal personnel or selected individuals or groups, effectively making them private. Only people chosen to view the event website or register for the event will be able to do so and invitations cannot be shared – useful if you have an internal awards event going on involving confidential company information.

Where is my Event Data Stored?

As mentioned above, this is something that should be outlined in the security policy of your event technology provider. It is worth noting, however, that if your event management software provider is storing your data in US-based datacentres and you deal with delegates from the EU, then you need to ensure that they comply with the newly announced Privacy Shield agreement. This replaces the old Safe Harbor agreement, which allowed US companies to legally transfer European citizens’ data to America, provided the location it was being sent to had the security and privacy conditions that met EU standards.

Read more: New EU/US Data Sharing Deal: What Event Planners Need to Know

If you are using a web-based system, find out the physical location of their cloud servers and whether or not they adhere to EU Data Protection regulations. Find out who has access to these servers and what kind of security procedures they have in place.

Do You Own My Data?

This is an important question as some event management technology companies have a legal right to use your data for their own marketing purposes, which means it’s highly likely that they store this data somewhere other than your company’s database on their client servers.  This increases the chance of breach so again, you need to find out what data protection policies they have within their own organisation, how they manage access to this data, what do they use it for and how long they keep it.

Are You PCI-DSS Compliant?

Our survey revealed that almost 50% of event planners who took payment from their delegates didn’t know if they were PCI-DSS compliant and a further 73% were unaware of the fines for non-compliance (ranging anywhere from $5,000 to $100,000).  If your events are set up to accept payments from delegates via credit or debit cards, then your organisation is obligated to achieving and maintaining compliance with the PCI Data Security Standard (more info here).  One way of simplifying compliance is to outsource the process to one of the many PCI-DSS-certified payment gateways that meet the required standards, such as Stripe, PayPal, Sage Pay and Worldpay, among others. However, make sure you understand from your event tech provider how these payment gateways interface with your event management/registration system. If your event website integrates with these gateways via an API, then you are still liable for PCI compliance since your servers capture and transmit the credit/debit card data first. Equally, if your event management system uses its own payment gateway or processes payments on your behalf, make sure that their systems have the correct level of compliance and that they are not permanently storing your delegate payment card data on their servers.

Read more: Top 5 Things to Think Abut When Dealing with APIs

What Security Precautions Do I Need to Take?

If your event management system is integrated with other third party systems (CRM, event apps, finance packages), your event management software provider may have issued you with an API key for any integrations.  Often used instead of usernames and passwords, the key allows your event app and other third party applications access to your event data, and vice-versa. Remember that anyone who has access to this key has access to your data – so you need to make sure it doesn’t get into the wrong hands.  You can minimise the risk of breach by asking your event tech provider to issue different API keys for different functions – for example, use one key to connect your system to the delegate section of your event app and another to connect it to the exhibitor section of your event app. Also, if you’re integrating with more than one system, ask for separate API keys for each integration (event app, CRM etc).  This way, if one of your API keys gets lost or exposed, you can revoke the key (which disables the integration) and set up a new one.  If you have one API key for all your integrations, then a data breach would lead to far more serious consequences for you and your organisation.

How Long Do You Keep My Data For?

In our survey, 54% of event planners said they use their event management systems as a permanent storage space for all their event data.  If you’re happy with your event tech provider’s data security policies, then keeping your data in the system after your event is complete is a good idea – especially if you don’t have adequate procedures to safeguard this data within your own organisation. Find out how long they keep this data on their servers, whether it is moved to other locations or servers and whether or not they delete it after a defined period of time.

Conclusion

Click to get in touchThere is no such thing as 100% security when it comes to safeguarding your data.  However, following best practices and taking the precautions outlined above can help you understand the risks involved and minimise the chances of a data breach.

To learn more about event technology security and how Eventsforce’s systems keep your data safe, read the related posts below or get in contact.

Written by Steve Baxter, CTO of Eventsforce

1 C&IT: Event Planners Don’t Understand Real Threat of Cyber Hacking

 

Delegate Card Payments & Security Compliance: Questions Answered

Posted on by Eventsforce

PCI COmplianceEnter registration details, make your payment and click submit.  It’s the kind of information most event websites ask for. But when your delegate makes a payment, how do we make sure their card details are kept safe? If your organisation is involved in storing, processing or transmitting any delegate cardholder data – manually or electronically – you need to comply with the Payment Card Industry Data Security Standard (PCI DSS).  And that means meeting tough standards that maximise your delegate’s payment card security – or face the prospect of fines.

Unfortunately, many organisations don’t bother thinking about PCI compliance until they are due to be audited, which at best, leaves them playing catch-up or at worst, means they fail because they haven’t met the requirements. A recent report by Verizon – which assessed more than 5,000 organisations across 30 countries – found that nearly 80% of all businesses failed their interim PCI compliance assessment. More importantly, lack of compliance was linked to data breaches: Of all the data breaches studied, not a single company was found to be fully PCI DSS-compliant at the time of breach. The study also found 69% of all consumers were less inclined to do business with a breached organisation1. So the stakes of non-compliance are pretty high.

Last month, Eventsforce conducted its own survey with senior event planners in the UK and the US to assess their understanding of delegate payments and PCI-DSS requirements. The results were quite surprising.  Nearly half of those surveyed didn’t know if they were PCI DSS compliant, with 84% not being able to identify compliance requirements and a further 73% unaware of the fines for non-compliance.

So what exactly is PCI-DSS and what do event planners need to know about it? Below are six of the most common questions we come across when discussing issues around delegate payments and data security.

What is PCI-DSS compliance?

If your events are set up to accept payments from delegates via credit or debit cards, then your organisation is obligated to achieving and maintaining compliance with the PCI Data Security Standard.  PCI DSS is an information security standard for any organisation handling credit card transactions from the major card schemes, including Visa, MasterCard, American Express, Discover and JCB.  The standard was created to increase controls around cardholder data to reduce credit card fraud. It has three basic components which include analysing IT systems for vulnerabilities; patching weaknesses and deleting unnecessarily stored data; and submitting compliance records to banks and card companies (a detailed description of all 12 requirements can be found here).

In the case of events, compliance would mean ensuring that no delegate payment card data is stored unless it is necessary to meet the needs of your event or business. This applies to all types of transactions – electronic (card payments through event website) or manual (card payments over the phone or on-site). If it is absolutely necessary for you to store this information, then you need to know what you can and can’t do. Sensitive data from the magnetic strip or chip, for example, may never be stored but other information such as card numbers (PAN), expiration dates, service codes or cardholder names may be stored if the correct encryption procedures have taken place to ensure data safety (more on this further down).

Isn’t This the Responsibility for My IT/Legal/Finance Department?

 Setting policies and procedures around compliance usually is the responsibility of these departments but adherence to these policies is a shared responsibility across any department dealing with delegate card payments – including the events team. In the case of any fraudulent activity involving the payment card of one of your delegates, a bank can easily trace it back to a PCI-related breach to your organisation and hold you responsible. There are considerable fines associated with non-compliance following a data compromise; these can range from ten to hundreds of thousands of pounds. Many non-compliant organisations have stopped trading because the fines could not be accommodated.

Do I Have to be PCI-DSS Compliant?

PCI-DSS compliance does not just apply to the storage of payment card data but also to the handling of data while it is processed or transmitted over networks or phone lines. While not storing credit card data does eliminate some compliance requirements, the majority of the controls dictated by the DSS remain in effect.

ID-100354956One way of simplifying compliance is to outsource the process to one of the many PCI-DSS-certified payment gateways that meet the required standards, such as Stripe, PayPal, Sage Pay and Worldpay, among others. This makes it possible for delegates to interact with the gateway software directly so that card information never hits your own servers. However, make sure you understand how these payment gateways interface with your event management/registration systems. If your event website integrates with these gateways via an API, then you are still liable for PCI compliance since your servers capture and transmit the credit/debit card data first.

Read more: Top 5 Things to Think About When Dealing with APIs

Do I Still Need to Consider it if my Payment Gateway is Compliant?

Yes, if you take delegate/attendee payments offline or over the phone. In our event data security survey, 49% of event planners said they take credit/debit card details from their attendees over the phone. This doesn’t help with PCI compliance unless the information is directly entered into the payment gateway system. Even then, are the card details written down somewhere first?  If so, do you dispose of the paper?  How is the paper disposed and when?  Do you email these details to anyone? These are all very important questions you and everyone else on your team need to be very aware of at all times. So make sure you have the correct policies in place and that your staff are trained to follow all necessary procedures that ensure compliance.

What if I do Need to Store Card Details for Some of my Events?

Our survey found that 11% of event planners ask their attendees to fill in card details within registration forms as a form of deposit on possible extras like transport, hotel rooms, dinners, and so on. Some payment gateways like Stripe have a good way of managing this without making your organisation subject to PCI-DSS regulations.  At a minimum, PCI DSS requires card numbers (PAN) to be unreadable anywhere they are stored (the first six and last four digits are the maximum number of digits that may be displayed).  However, as a general rule, it is not advisable to use registration forms to capture credit card details as it does increase the risk of breach.

What Are the Main Data Security Guidelines for PCI-DSS Compliance?

If you do have a legitimate business reason to store your delegate’s payment card data, it is important to understand what data elements PCI-DSS allows them to store and what measures they must take to protect that data. Below are some basic do’s and don’ts for data storage security:

Data Do’s:

  • DO understand where delegate card data flows for the entire payment transaction process – from initial registration until the completion of the event.
  • DO verify that your payment applications (including third-party applications like PayPal) are PCI-DSS compliant. Have clear access and password protection policies and remember, it is your responsibility that compliance is not just met but continuously maintained. Security exploits are non-stop and get stronger every day, which is why compliance efforts should be a continuous process.
  • DO retain cardholder data only if authorised and ensure it is protected
  • DO use strong cryptography to render unreadable cardholder data that you store, and use other security technologies to minimise the risk of exploits of criminals

Data Don’ts

  • DO NOT store cardholder data unless it’s absolutely necessary – delete all data as soon as you know that you no longer need it. Never print or email this information.
  • DO NOT store the 3-digit card validation code on the back of the payment card on paper or any digital format.
  • DO NOT store any payment card data in unprotected devices such as PCs, laptops or smart phones
  • DO NOT permit any unauthorised people to access stored cardholder data

Summary

Understanding and implementing all the requirements of PCI-DSS can seem daunting, especially for those without security or large IT departments.  However, PCI DSS mostly calls for good, basic security.  Even if you don’t have to be PCI-DSS compliant, the best practices we mentioned above are steps that any organisation running events would want to take anyway to protect sensitive delegate data.

Click to get in touch

For further advice and guidance on event card payment security, please contact our friendly team on 0207 785 6997 or fill in our enquiry form here.

1 80 Percent of Businesses Fail Interim PCI Compliance Assessment

Infographic: The ROI of Event Data Integration

Posted on by Eventsforce

We have talked a lot about data integration (Why is Data Integration So Important for Your Events) and APIs (Top 5 Things to Think About When Dealing with APIs) over the last few weeks.  It is a topic that is hotly debated across the events industry as more and more organisations try to find new ways of increasing the ROI of their event technology investments.

Integrating your event management software with other business systems within your organisation can bring a host of benefits. It can save you time by reducing manual data entry. It can eliminate errors and inconsistencies that commonly cause problems in communications.  It can cut costs and make your team more productive – and more importantly, it can unlock the true value of your event data by putting it in the hands of the people who need it.

So how does it work and what does an integrated system look like?  For a quick overview on some of the key integrations that make sense for your events, have a look at the infographic below (or click here to download):