Q&A with our Security Team

After hearing all those scary stories about people stealing your identity and credit card theft, it’s no surprise that we’ve become nervous about sharing our information online. At Eventbrite, we take privacy and security seriously. How, you ask?

I recently caught up with Paul, our Head of Security, to answer some of the top questions customers ask our customer service team. If you have other questions about how Eventbrite protects your information, check out our Security and Safety Guide.

Q: Is Eventbrite’s site secure?
A: “Secure” is a relative term, and as everyone knows, nothing can be 100% secure. What we can say is that we take the security and privacy of our customer’s data seriously and employ multiple layers of protections to help prevent your data from falling into the wrong hands.

Eventbrite has an active security program that covers all business functions from engineering to customer service.  We are scanned and monitored for common web application vulnerabilities by external companies that specialize in web application and network security.

Q: What happens with my credit card once I enter it on the checkout page? Is it safe?
A: Credit card data is very sensitive. We appreciate that many of our event organizers and attendees are concerned with the security of their credit card information.

Eventbrite uses strong, industry-standard encryption to ensure your credit card details are not seen by anyone except Eventbrite while you are proceeding through the ticket purchase process. Once Eventbrite has your credit card information, we securely transmit this data to our credit card processing gateway on your behalf. When we receive a response from the gateway, Eventbrite completes the transaction and discards your credit card information.

Remember, Eventbrite views credit card information as the information entered under “Credit Card” on the checkout page.  So the above security measures apply only to this area.  If you are an event organizer, you should never ask for attendee credit card information other than in this place.  If you are an Eventbrite attendee, you should never provide your credit card information to anyone on the Eventbrite site except on this page.  

Q: But don’t you store my credit card number so I can use it again for future purposes?  That would be convenient.

A:  Eventbrite never permanently stores your credit card number after it has been authorized.

While Eventbrite has a “wallet” feature that allows you to easily use credit cards that you have previously used on the Eventbrite site to simplify the checkout process, the credit card number is stored by Cybersource (A Visa Company) and not by Eventbrite. When you want to purchase a ticket with the credit card associated with the “wallet” feature, Eventbrite uses a token (a series of numbers) that represents your credit card number, but which is not your credit card number and cannot be used anywhere off Eventbrite’s site to make purchases.  Eventbrite uses this token to complete the transaction you authorized.

Q: What documentation can you provide me to prove Eventbrite’s security with credit cards and data?
A:  In 2006, a consortium of the major credit card brands established a council whose mission, in part, is to establish security guidelines for companies processing, transmitting, or storing credit card data. These guidelines come in the form of the Payment Card Industry Data Security Standard (PCI-DSS).

Proof that company systems are PCI-DSS compliant is shown through a document called an Attestation of Compliance (AOC). This document is provided by an independent, 3rd party auditing firm that specializes in performing security audits and is approved by the PCI Council as an Qualified Security Assessor (QSA).

Eventbrite is happy to provide the Attestation of Compliance (AOC) from our auditor to customers at any time. Your Account Representative or our Customer Support team will be happy to help you get that process started.

Q: What does Eventbrite do with the attendee’s information?
A: We store attendee information in our databases and use that information only for the reasons set out in our Privacy Policy.  For more details, please see our Privacy Policy.   Eventbrite never sells your personal information to 3rd parties.

Q: As a US-based company, what security and privacy measures do you have in place for your international users?
A: All data, including that from all of our international domains, is stored on servers in the US. Through the magic of computers, all Eventbrite domains including non-.com domains, run on the same set of servers here in our data centers in the US.

We take the same security measures to protect both international user data and US user data to the same extent.

Different parts of the world have varying laws and regulations governing how companies can handle user’s personal information. As Eventbrite is a US company and all user data is stored in the US, users are under US jurisdiction as outlined in our Privacy Policy.  Eventbrite does participate in the US-EU and US-Swiss Safe Harbor Program which the EU and Swiss data protection authorities have found to provide adequate safeguards of privacy.