27 Jun How Paymentsandco.com could have prevented Ticketmaster card data breach
Another big brand name in the UK has announced that it has breached PCI DSS rules and suffered a card data breach. I cannot imagine what the conversation between the CTO and the CEO would be. Who in this day and age, sees that 85% of their revenue data comes from card payments and not ensure that there is the highest level of security in protecting such cards. Who signed off Ticketmaster as PCI compliant when card data was on their network and systems as well as managed by 3rd party. What world do these people live in!
I have said it before and I will say it again, PCI compliance is nothing but a useless piece of paper, it should be the “likelihood of a breach occurring” that the industry and most merchants should be focused and concerned about.
The card data breach at Ticketmaster is another glaring example of how the strategy we have developed at Paymentsandco.com could have prevented the card data breach at Ticketmaster. I will describe what they say happened and below the blog describe how we could have prevented the breach from occurring.
UK customers of Ticketmaster have been warned they could be at risk of fraud or identity theft after the global ticketing group revealed a major data breach that has affected tens of thousands of people.
The company could face questions over whether there was a delay in disclosing the breach after it emerged that some UK banks have known about the incident since early April.
The Guardian understands that a number of Ticketmaster customers have already had fraudulent transactions debited from their accounts, with the fraudsters spending people’s cash on money transfer service Xendpay, Uber gift cards and Netflix, among other items.
Ticketmaster said customers who bought concert, theatre and sporting event tickets between February and 23 June 2018 may have been affected by the incident, which involved malicious software being used to steal people’s names, addresses, email addresses, phone numbers, payment details and Ticketmaster login details.
The company said less than 5% of its global customer base had been caught up in the breach, and indicated the number directly affected was fewer than 40,000. However, Ticketmaster claims to serve more than 230 million customers a year globally.
Ticketmaster, part of the Live Nation Entertainment group, said that on 23 June it discovered that malware on a customer support product hosted by Inbenta Technologies, an external third-party supplier, was exporting UK customers’ data to an unknown third-party. As a result, it said, some of its customers’ personal or payment information may have been accessed by this third party.
How paymentsandco.com could have prevented the card data breach at Ticketmaster
The first issue is here the following sentence – which involved malicious software being used to steal people’s names, addresses, email addresses, phone numbers, payment details and Ticketmaster login details.
A malicious software can emerge from a variety of places, however, the issue is why does Ticketmaster think it necessary to keep customer card data in the first place, what is it going to do with that card data other than send it to an acquiring Bank to determine a balance or make payment. As a result, the first challenge we will raise it, you don’t keep card data, period. This would be the basis of our payment compliance strategy that is applied to every single payment channel.
We would then re-architect the payment channels to ensure every payment channel is takes on the payment compliant strategy ensuring we track from the merchant ID to the payment channels, through the suppliers are all tracked on our dashboard as seen below
managing ticketmaster 3rd parties
the second statement that irks me is as follows: Live Nation Entertainment group, said that on 23 June it discovered that malware on a customer support product hosted by Inbenta Technologies, an external third-party supplier, was exporting UK customers’ data to an unknown third-party.
The breach clearly occurred with a 3rd party, however, as I always tell my clients, when it comes to 3rd party suppliers and payment solutions, size matters, you need to go for a supplier that is bigger than you, as it is evident in this publication, the 3rd party barely gets a mention but the fault in my opinion clearly lies with Ticketmaster for selecting a 3rd party that they clearly have not controlled or monitored.
If Paymentsandco.com were engaged, we would overhaul the 3rd party regime and ensure firstly, no 3rd party has access to our card data, it would be of no consequence to me, how secure they think they are. In my books, no 3rd party touches my card data, period! We would redirect all card payments from 3rd party suppliers directly to the Acquiring bank.
Managing the products and services that take card payments
The products and services that take card payments is one of the features we take control of and architecturally design each payment solution to ensure, there is no card data stored on them and that all card data are handled by the Acquiring Bank.
We would ensure all of the payments channels that Ticketmaster has have no card data taking capability from their design.
The last key point is change management – we implement our change management module that controls all changes to the PCI estate or card data environment including all the changes that the 3rd parties make. We implement a 2 stage approval, first from the PCI team, then the treasury team and before it goes on to the supplier