The wilderness comes to life with color at Electric Forest in Rothbury, Mich.
Recent breaches at major retailers have brought a new focus on cyber security and many venues and ticketing companies are taking a new look at their own defense systems.
Whether it’s sports tickets, performing arts or concerts, ticketing companies are high profile targets for hackers and cyber criminals. Not only are ticketing companies processing high volumes of transactions from thousands of customers, they’re often doing it in a high frequency environment. A popular on sale for a major event like the upcoming Electric Forest festival in Rothbury, Mich., and produced by Insomniac Productions means potentially tens of thousands of individuals logging in at the same time.
Further complicating things, the festival is on a remote site meaning that a secure network must be built from scratch to operate the admission control system and facilitate the sale of walk-up tickets.
“We literally build out everything ourselves and provide our own staff to run the box office and entry points,” said Maura Gibson, president of Front Gate Tickets, which provides ticketing services for the event.
RFID wristbands are used to admit access to the festival, and new this year is a feature that ties the wristbands to a credit card allowing for a cashless environment on the premises. And because many buyers now use their Facebook accounts to log into the ticketing system, Front Gate has yet another layer of private information to protect.
“The networks we maintain at the Electric Forest are private networks,” not tied into the World Wide Web, making them much more difficult to detect and break into, Gibson explained. The networks are hidden from public view and constantly monitored by security teams — any unusual or suspicious activity can be quickly detected and stopped.
“All of our technology is PCI compliant,” explained Gibson, meaning that all of their credit card processing and data storage meets the highest standards set forth for protecting e-commerce.
“We don’t actually store any of the credit card information ourselves,” she said. Instead, users’ credit card information is held behind an encrypted firewall — when the customer makes a charge, a virtual token is instantly sent over the network, corresponding to a user account. Once the token is verified with a matching reference number to the account, the credit card is charged and the vendor receives an ‘Approved’ message at the Point of Sale. This all happens within a few seconds, Gibson said. At the CounterPoint Festival in Kings Downe, Ga., (April 25-27), wristbands were scanned in 82,000 times.
“And 30 percent of all wristband holders took advantage of the new cashless option,” said Gibson.
Ever been asked to retype a bizarre word or phrase into a security form so that you could finalize a purchase? The decade-old security feature is known as Captcha (an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart) and is a security tactic used by major ticketing companies like Ticketmaster and Tickets.com.
Captcha was designed to differentiate actual buyers from computerized bots, often deployed by scalpers to surreptitiously buy up ticketing inventory for future resale.
The effectiveness of Captcha remains unclear — scalpers have increasingly developed new ways to automate their way past Captcha. In one case, a group of New York businessman paid a firm in India to type in Captcha messages 24/7 — allowing for the thousands of tickets to be bought up.
That has led to increasingly more difficult Captcha phrases and, subsequently, more frustrated buyers. Older users, individuals with dyslexia and those with visual impairments are increasingly having difficulty with Captcha.
As a result, Ticketmaster is moving away from Captcha to more user-friendly tests to prove a buyer is a genuine fan and not a scalper, confirmed company spokesperson Jacqueline Peterson.
“It’s something we looked at beginning in 2013,” she said. “The goal is to create something simpler for the end user.”
Ticketmaster is experimenting with alternative software, which asks for well-known phrases or has the user choose between simple multiple-choice questions. Designed by New York firm Solve Media, the system relies on a series of algorithms and digital clues to determine if the user’s behavior is human or not.
Peterson explained it “typically takes about seven seconds” to solve a Solve Media query — older Captcha tests can take 15-20 seconds.
“Overall, it creates a better buying experience for the consumer,” she said.
If a firm processes credit or debit card sales in a retail environment or online, it needs to comply with PCI DSS: the Payment Card Industry Data Security Standard. Those who fail to comply and experience a security breach face a variety of potential consequences including free credit monitoring for victims and potentially large fines from banks and processors. A serious breach could even prompt Federal investigators to open an official inquiry on the breach that could bring costly legal bills.
Firms like ticketing company Tessitura have opted for a hosted technology approach that provided flexible processing options and fully PCI Compliant user experience. Partnering with Arizona firm Element Partners, the company developed “a solution that positioned its customers for future enhancements, such as tokenization and point-to-point encryption (P2PE) which, when combined, completely remove the transmission and storage of cardholder data from both a software application and customers’ point-of-sale systems,” according to a release.
Interviewed for this story: Maura Gibson, (512) 389-0315; Jacqueline Peterson, (310) 360-3051