SECURING SENSITIVE DATA IN TICKETING ORGANIZATIONS
Ticketing organizations managing events such as races, concerts, and sports, need to take payments through multiple acceptance channels (Omni-channel). Call centers take payment card information for reservations, web sites process online payments, and on-premise card readers take payments both online and offline for services during trips or events. Ticketing organizations need to work with multiple payment streams and payment processing partners.
The complexity of these businesses means there are many information systems –and people – that touch, process, and store both Payment Card Information (PCI) and Personally Identifiable Information (PII). The PII organizations collect includes postal and email addresses, phone numbers, and other data that can be used for identity theft and false account creation. The multitude of data entry points, databases for record keeping, and networks for transmitting sensitive data makes these organizations a prime target for hackers to breach.
Even more insidious is that a breach often results in the spreading of malware throughout an organization, as well as those of its partners, where it can persist undiscovered for months, harvesting payment and personal data. Often the malware is only uncovered when stolen data is already being used for fraud and traced back to the organization as the source of the breach—much too late to warn customers of the damage.
TOKENIZATION ELIMINATES RISK OF DATA THEFT, REDUCES PCI COMPLIANCE COSTS
Eliminating the risk of losing customer data requires a combination of encryption, tokenization, and cloud data vaulting to intercept incoming sensitive data at every possible entry point. This layered approach to data security ensures that no PCI or PII is accepted, stored, or transmitted by IT systems that could be hacked, infected with malware, or inadvertently exposed by personnel. For ticketing organizations, the TokenEx Cloud Security Platform provides layered solutions for the three main collection points for sensitive data: call centers, web shopping carts, and on-premise card readers.
CALL CENTER SECURITY
Even in the age of ubiquitous internet shopping, many people prefer the human touch when making complex travel plans—especially when the trip is for pleasure and an expensive investment. Call centers with experienced travel planners are still in demand for cruises, multi-city or country itineraries, and adventure vacations. In order to provide excellent service, call center operators need to collect significant PII and ultimately PCI to complete the reservation. All that sensitive data is entered and stored on workstations and databases that are virtual honeypots for hackers.
TokenEx provides several methods of securely working with PCI and PII data in the call center. Taking PCI over the phone can be made secure by using point-to-point encryption (P2Pe) pin pads at workstations. Once account numbers are captured and encrypted, the data is sent to the TokenEx Cloud via the TokenEx API to be decrypted, tokenized and vaulted. Tokens are sent back to the call center database for future billings. Since only the tokens are stored in the local business systems, workstations, web servers and databases remain out of scope of PCI compliance.
Call center operators can also use a web portal to input payment information. The TokenEx Browser Based Encryption can be used in the portal to instantly encrypt the PANs and transmit them to be tokenized, vaulted, and passed on to the payment gateway of choice for processing. This enables real-time processing of payments, while reducing the scope of PCI compliance.
These same processes can be used to secure any PII captured during a call. PII such as email addresses, bank information, passport IDs, and even medical information, can be tokenized and vaulted to ensure only the undecipherable tokens representing PII are stored locally for future processing.
WEB SHOPPING CART CHECKOUT SECURITY
Even when customers prefer the human touch of a call center to plan their events, additional payments can be made through a web portal and checkout page. The security objective is to provide real-time payment processing using only encrypted and tokenized data—once again keeping the web server secure and out of PCI scope. Organizations can choose to have TokenEx host the entire checkout page, which is fully customized to look and behave like the business web site design, or use the iFrame solution to only host the final payment fields. Either way, as customers enter their payment data into the web site, it is securely encrypted and tokenized, so that the actual PANs never enter the ticketing organization’s business systems. Only the tokens are returned to the business systems for recurring billing, analytics, and safe storage.
ON-SITE CARD READER SECURITY
Participating in events usually requires additional expenditures for food and services. Providing merchants and vendors with secure support to accept payment cards for everyday expenses requires a level of security akin to the call center P2Pe pin pads. Onsite merchants and event services should be equipped with P2Pe card readers to encrypt the account numbers immediately and store them in a local database. Away from port, the charges may need to be batched for transmission to the TokenEx Cloud when internet connectivity is regained, there to be tokenized and sent to the appropriate PSPs for processing.
OPEN INTEGRATION PROVIDES FLEXIBILITY IN PAYMENT SERVICES
With all these scenarios, the TokenEx Cloud Security Platform is tightly integrated into the existing business processes. TokenEx can act as a central integration point for fraud detection, chargeback prevention, and marketing analytics, passing the necessary payment data to the service providers in the format they expect, without the business systems’ accepting, storing, or transmitting any payment data.
TOKENEX AT WORK
TokenEx clients in the ticketing industry that rely on tokenization in the cloud to protect their guests’ data have the freedom to use any virtually any payment processor, as well as to integrate other payment processing services. Let’s explore an example of tokenization used in an e-commerce platform for ticketing and event management services.
SECURELY MANAGING AND TICKETING EVENTS WITH CONFIGIO
Configio (previously known as MyCustomEvent) is an e-commerce platform that helps other organizations manage events and ticketing, among other functions. Any time a customer of a Configio-supported web site purchases tickets or services, they are actually using the payment processing provided by Configio. The secure payment processing works behind the scenes of the branded web pages of the organization, securing payment data and interfacing with multiple payment processors.
“Payment processing is one of our most important competitive differentiators,” says Bob Bailey, co-founder of Configio. “Our secret sauce is making payment processing completely transparent to the end customers. Customers never know we are behind the scenes of the organization with whom they are doing business. And that’s the way our clients want it.”
Configio uses the TokenEx Web API to route all incoming payments originating from their clients’ customers to TokenEx Secure Data Vaults. Configio servers receive the tokens back to store for future processing. Because Configio supports many vendors, it requires flexible access to multiple PSPs and gateways. TokenEx supports over 40 payment gateways “out of the box” and can add new ones as needed. TokenEx provided customized tokenized payment streams to accommodate some of Configio’s clients’ unique payment fields.
You can read more details in the profile about Configio and TokenEx.
Connect with TokenEx to Secure Your Organization’s Sensitive Data
Your business data belongs to you. Your customers’ data belongs to them. Keeping sensitive data of all types out of the reach of hackers, ransomware attacks, and state-sponsored spies is the job of TokenEx. You owe it to yourself and your customers to secure your enterprise against attack. You can depend on the TokenEx Cloud Security Platform to do just that. Contact us today to learn how we can eliminate the risk of data theft and reduce the cost of PCI compliance.