A Forrester report points out challenges faced by some business-to-business firms working online.
Ticket vendor finds an easier path to PCI compliance through a web hosting service.
When TheaterMania.com’s acquirer started talking about the increasingly strict payment card security requirements some three or four years ago, the ticketing services vendor decided to beef up its protections by relying on the expertise of in-house employees, says David Stanke, chief technology officer.
Now, though, the vendor outsources the work to its web hosting service, and Stanke wouldn’t have it another way. “Having access to people and resources means I don’t necessarily have to take on the burden of learning the rules first hand,” says Stanke, who oversees a software development team of eight. “It can be difficult to penetrate the requirements sometimes.”
Those PCI requirements are designed to protect consumers’ credit and debit card data as they move through computer networks. A council founded by Visa Inc., MasterCard Worldwide Inc., American Express Co., Discover Financial Services and JCB International oversees the standard. Merchants that fail to meet the requirements of PCI can be on the hook for fines in the case of a data breach.
TheaterMania.com sells a ticket processing service called OvationTix, used by concert halls, festivals, theaters and sports arenas. Several hundred clients throughout the United States use OvationTix, Stanke says. Those clients integrate OvationTix into their web sites, facilitating a connection between the ticket sellers and the software processing system operated by TheaterMania. The vast majority of transactions are completed with credit cards, Stanke says.
While the company’s acquirer provides updates about PCI requirements and requests statements that show TheaterMania.com is in compliance, Stanke says the acquirer offers little help in achieving compliance. That’s why the company handed off the job to its web hosting service, NeoSpire Inc.
The jobs handled by NeoSpire include those related to log file aggregation—separating data so that a compromise of one part of the server does not expose other data—and egress filtering—a way of protecting information leaving the server, Stanke says.
“I want my team to be focusing on developing applications that users are going to see,” he says.
Meeting the card data security requirements could become somewhat easier for TheaterMania.com and other merchants. PCI Security Standards Council said in June that it will update each of the three standards every three years; one already was on a three-year cycle, but the other two were revised every two years, meaning more frequent changes to retailers’ systems and practices to keep up. The council said it made the changes after merchants, banks and processors asked for more time to meet the requirements of the standards.