Enter registration details, make your payment and click submit. It’s the kind of information most event websites ask for. But when your delegate makes a payment, how do we make sure their card details are kept safe? If your organisation is involved in storing, processing or transmitting any delegate cardholder data – manually or electronically – you need to comply with the Payment Card Industry Data Security Standard (PCI DSS). And that means meeting tough standards that maximize your delegate’s payment card security – or face the prospect of fines.
Unfortunately, many organizations don’t bother thinking about PCI compliance until they are due to be audited, which at best, leaves them playing catch-up or at worst, means they fail because they haven’t met the requirements. A recent report by Verizon – which assessed more than 5,000 organisations across 30 countries – found that nearly 80% of all businesses failed their interim PCI compliance assessment. More importantly, lack of compliance was linked to data breaches: Of all the data breaches studied, not a single company was found to be fully PCI DSS-compliant at the time of breach. The study also found 69% of all consumers were less inclined to do business with a breached organization1. So the stakes of non-compliance are pretty high.
Last month, Eventsforce conducted its own survey with senior event planners in the UK and the US to assess their understanding of delegate payments and PCI-DSS requirements. The results were quite surprising. Nearly half of those surveyed didn’t know if they were PCI DSS compliant, with 84% not being able to identify compliance requirements and a further 73% unaware of the fines for non-compliance.
So what exactly is PCI-DSS and what do event planners need to know about it? Below are six of the most common questions we come across when discussing issues around delegate payments and data security.
What is PCI-DSS compliance?
If your events are set up to accept payments from delegates via credit or debit cards, then your organization is obligated to achieving and maintaining compliance with the PCI Data Security Standard. PCI DSS is an information security standard for any organization handling credit card transactions from the major card schemes, including Visa, MasterCard, American Express, Discover and JCB. The standard was created to increase controls around cardholder data to reduce credit card fraud. It has three basic components which include analyzing IT systems for vulnerabilities; patching weaknesses and deleting unnecessarily stored data; and submitting compliance records to banks and card companies (a detailed description of all 12 requirements can be found here).
In the case of events, compliance would mean ensuring that no delegate payment card data is stored unless it is necessary to meet the needs of your event or business. This applies to all types of transactions – electronic (card payments through event website) or manual (card payments over the phone or on-site). If it is absolutely necessary for you to store this information, then you need to know what you can and can’t do. Sensitive data from the magnetic strip or chip, for example, may never be stored but other information such as card numbers (PAN), expiration dates, service codes or cardholder names may be stored if the correct encryption procedures have taken place to ensure data safety (more on this further down).
Isn’t this the responsibility for my IT/legal/finance department?
Setting policies and procedures around compliance usually is the responsibility of these departments but adherence to these policies is a shared responsibility across any department dealing with delegate card payments – including the events team. In the case of any fraudulent activity involving the payment card of one of your delegates, a bank can easily trace it back to a PCI-related breach to your organisation and hold you responsible. There are considerable fines associated with non-compliance following a data compromise; these can range from ten to hundreds of thousands of dollars. Many non-compliant organizations have stopped trading because the fines could not be accommodated.
Do I have to be PCI-DSS compliant if I don’t store any credit/debit card information?
PCI-DSS compliance does not just apply to the storage of payment card data but also to the handling of data while it is processed or transmitted over networks or phone lines. While not storing credit card data does eliminate some compliance requirements, the majority of the controls dictated by the DSS remain in effect.
One way of simplifying compliance is to outsource the process to one of the many PCI-DSS-certified payment gateways that meet the required standards, such as Stripe, PayPal, Sage Pay and Worldpay, among others. This makes it possible for delegates to interact with the gateway software directly so that card information never hits your own servers. However, make sure you understand how these payment gateways interface with your event management/registration systems. If your event website integrates with these gateways via an API, then you are still liable for PCI compliance since your servers capture and transmit the credit/debit card data first.
Do I still need to think about PCI-DSS compliance if my payment gateway is compliant?
Yes, if you take delegate/attendee payments offline or over the phone. In our event data security survey, 49% of event planners said they take credit/debit card details from their attendees over the phone. This doesn’t help with PCI compliance unless the information is directly entered into the payment gateway system. Even then, are the card details written down somewhere first? If so, do you dispose of the paper? How is the paper disposed and when? Do you email these details to anyone? These are all very important questions you and everyone else on your team need to be very aware of at all times. So make sure you have the correct policies in place and that your staff are trained to follow all necessary procedures that ensure compliance.
What if I do need to store card details for some of my events?
Our survey found that 11% of event planners ask their attendees to fill in card details within registration forms as a form of deposit on possible extras like transport, hotel rooms, dinners, and so on. Some payment gateways like Stripe have a good way of managing this without making your organization subject to PCI-DSS regulations. At a minimum, PCI DSS requires card numbers (PAN) to be unreadable anywhere they are stored (the first six and last four digits are the maximum number of digits that may be displayed). However, as a general rule, it is not advisable to use registration forms to capture credit card details as it does increase the risk of breach.
What are the main data security guidelines for PCI-DSS compliance?
If you do have a legitimate business reason to store your delegate’s payment card data, it is important to understand what data elements PCI-DSS allows them to store and what measures they must take to protect that data. Below are some basic do’s and don’ts for data storage security:
- DO understand where delegate card data flows for the entire payment transaction process – from initial registration until the completion of the event.
- DO verify that your payment applications (including third-party applications like PayPal) are PCI-DSS compliant. Have clear access and password protection policies and remember, it is your responsibility that compliance is not just met but continuously maintained. Security exploits are non-stop and get stronger every day, which is why compliance efforts should be a continuous process.
- DO retain cardholder data only if authorized and ensure it is protected
- DO use strong cryptography to render unreadable cardholder data that you store, and use other security technologies to minimize the risk of exploits of criminals
- DO NOT store cardholder data unless it’s absolutely necessary – delete all data as soon as you know that you no longer need it. Never print or email this information.
- DO NOT store the 3-digit card validation code on the back of the payment card on paper or any digital format.
- DO NOT store any payment card data in unprotected devices such as PCs, laptops or smart phones
- DO NOT permit any unauthorized people to access stored cardholder data
Understanding and implementing all the requirements of PCI-DSS can seem daunting, especially for those without security or large IT departments. However, PCI DSS mostly calls for good, basic security. Even if you don’t have to be PCI-DSS compliant, the best practices we mentioned above are steps that any organization running events would want to take anyway to protect sensitive delegate data.
There are a host of websites that can provide you with more in-depth information on PCI-DSS compliance. Below is a list of some useful links:
Written by Steve Baxter, CTO of Eventsforce