[BreachExchange] 6 Ways Event Planners Can Manage Payment Security Breaches

[Audrey McNeil]

http://www.bizbash.com/6-ways-event-planners-can-manage-
payment-security-breaches/new-york/story/32769#.V9MBxpMoSV4

>From August 31 to September 2, three hospitality companies—Kimpton Hotels &
Restaurants, Noble House Hotels & Resorts, and Hutton Hotel—announced major
security breaches that resulted in unauthorized charges made at several of
the companies' locations nationwide. The companies, which blamed the
security breach on rogue malware installed on their systems, issued
apologies and posted information on their respective websites about the
affected locations and dates.

Here are some tips on how event planners can deal with security issues
before and after a breach.

1. Alert clients immediately.
Even if a client did not do business with the affected company in the time
frame when the security breach occurred, event planners should alert them
about the issue—in writing. Planners should include information on how the
supplier is addressing the problem and remind clients about who has
liability. “There needs to be a clear, written understanding of whose
liability a potential breach in transaction security [is],” says the
Unthinkablefounder Timo Kiuru, an event marketer and creative consultant
who has worked with brands such as Samsung, MTV, Nokia, McLaren,
Cosmopolitan, the Huffington Post, and SK­II.

2. Have clauses in contracts that give legal protection.
Legal protection is essential, especially if the event planner was not
involved with transactions handled by other event partners. “If a client
gives me their credit card, [the contract] should outline what their
expectations are going to be,” says Will Milligan, founder of Will Milligan
Events, which specializes in corporate event planning and political
fund-raisers. Milligan adds that having clear contract guidelines about
which event partner is responsible for which financial transaction is “a
nice insurance policy” that can prevent any confusion or liability if a
security breach occurs.

3. Find out the security policies of potential event partners.
Before contracting with suppliers such as hotels and restaurants, planners
should research their policy for security breaches that involve payments,
accounts, or other sensitive client information. Kiuru advises, “Ask them
what kind of security protocols and protection methods they use to secure
the transactions, how are they prepared and protected against any malware
being installed to their payment systems, and what would happen if there
was a breach in transaction security. If the venue is not willing or able
to give you a convincing answer, then it’s probably better to consider
another venue.”

4. Have clients give account information directly to other event partners
that are handling specific duties.
When possible, event planners can opt to have a client give payment
information directly to suppliers such as caterers or venues, which limits
liability for the event planner in case the account information is
compromised.

5. Consider alternative payment options.
PayPal and Samsung Pay are two examples of electronic payment services that
do not require users to submit a bank card or credit card for each
transaction. “Electronic payments are the transaction method of the
future,” says Kiuru. “We have too much faith on the security of a piece of
plastic with a magnetic stripe. Electronic payments are more encrypted, and
thus more difficult to copy than a piece of plastic.”

Milligan suggests another option: “So many hotels send you a link to your
B.E.O. [banquet event order], so why not send a link to your credit card,
instead of using a traditional credit-card authorization form?”

6. Learn what hacked companies did to resolve the problem.
Milligan says that the recent rash of hotel hacking has not turned him off
from doing business with the affected companies. “I don’t think it would
preclude me from wanting to work with them,” he says. “I’ve worked with
Kimpton, and I still think they’re a great brand. As long as they showed to
me that they’ll do things a little differently.”

Kiuru adds, “I would ask for a very in­-depth analysis of what led to the
security breach, what has been done to make sure it would not happen again,
and how the venue took responsibility of what happened. I would ask them to
give me all the possible information I would need to convince first myself,
then my team, and eventually my client that this venue is in all ways a
safe facility to organize a successful event.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160909/c4893d87/attachment.html>