Main Menu
April 6, 2009

Arts & financial security: How unsecure ticket sales expose your patrons to identity theft

I’d be hard pressed to find a member of an arts organization who doesn’t believe in the power of providing the option to sell tickets online. It gives many people a way to serve themselves (thus reducing your manpower needed at the box office to answer the phone), offers the patron the peace of mind of knowing that the ticket has been purchased, and usually offers additional benefits such as seeing your seat location, and being able to buy a ticket any night or day. Some groups I know have chaffed at the additional credit card processing fees, merchant account fees, or ticketing vendor fees of using a real ticketing system, and opted instead to collect credit card information online via a form, through an email, or into an unsecure database. Yes, you avoid additional fees that way, but is the cost of potentially exposing your patron’s credit card and identity information to hackers and thieves worth it? I don’t think so — and one lawsuit from an angry patron would seal the deal. Typically, groups get in trouble when they set up their own form to “reserve your tickets online” via their website, and that form asks for credit card information. Once a patron fills out the form and enters his/her credit card information, the form sends the patron’s info in an email to the box office staff. The email is usually passed through many computers on the internet, before it gets to the box office staff: imagine an old-fashioned fire brigade, where townsfolk are passing bucket after bucket of water down the line:

In this case, each “bucket” is an email. And for a moment, each email is available to be read by each computer that passes it on. It just takes one random computer in the system to be set up to snoop into your email looking for credit card numbers as they pass through, and poof — card number stolen. “But we’ve got a security certificate for our form page… there’s a lock and it says “https://” some have said. While this is a good step, you’re not necessarily out of the woods — if you are still getting credit card numbers delivered to your box office via email, it doesn’t matter if the form used to submit the email is secure, the security breach happens when the email is passed from internet computer to computer and finally to your inbox. The golden rule is: no credit card numbers should be sent or received via email, ever.

The benefits of using a “real” ticketing system

The benefits of using an actual ticket system, such as,,, etc., is that each of those vendors actually processes the card for you — the card is submitted via an encrypted, secure https:// form, “run” (card is charged) and then the card number is deleted as soon as the transaction is complete. Everything stays secure from start to finish, as nothing goes over email, and the card number is not stored, so it can’t be hacked into or stolen at some other time. The processor only stores the credit card number long enough to run the transaction, and that’s it. The card is either accepted (ticket sold) or rejected due to it being expired, limit exceeded, etc. In addition to the card processing security, by going with a “real” ticketing vendor, you’ll receive updates to the system that will make it easier and safer for patrons to purchase tickets as time goes on. Credit card processing fees are a cost of doing business, and should just be factored into your planning. Some groups make the consumer pay for the convenience of helping themselves online, which, if you’re trying to make your life easier, isn’t the way to go. Cut it out! Decrease phone calls into your box office by people that could be helping themselves online, and thus staying out of your hair — it’s simple. Make your ticketing fees less expensive when purchased online, and more expensive when people call the box office. The airlines have been doing this for years — book online, no fee. Call an agent, pay $15. It works — it helps automate the system, and that saves you time and money. But to do all of this in a way that protects the security of your patrons, you need a real ticketing system like those mentioned above. There are thousands of ticketing software vendors — too many to research yourself, so contact us, or ask a fellow arts group who they use. Depending on your needs, different vendors offer different advantages and disadvantages. By going with a mainstream vendor, you’ll help ensure safe ticket sales for your arts patrons. -Ron Evans, Like this post? Please share it, tweet it, post it, and generally spread it around to those you think it might help!