I recently purchased tickets to a concert event with Ticketmaster’s paperless ticket process.  It was not my preferred method, but tickets were hard to get and for this event it was the only option.  The purchase application instructed me to ‘go to the gate and present picture ID and credit card’ for admission.   Nonetheless, I still felt compelled to go to the will call window and collect my tickets.  To my surprise, I was instructed to go to the security entrance, the gate, and all would be well.  When I approached the gate, I asked ‘how does this work with a paperless ticket?’ and the gate attendant asked for my credit card.  I handed him my credit card, and expected to have to show picture id.  The attendant swiped my credit card through a roughly 6′ x 8′ device he was wearing over his shoulder, and printed two tickets.  He asked if everyone in my party was present, which we were, and he handed me our tickets that he had just printed.

Aside from my apprehension of approaching a concert venue without a ticket, or even a receipt of purchase for a ticket, or an eticket on my cellphone, the experience was quick and easy.  Ticketmaster has taken criticism of this process for the lack of a ticket holders ability to transfer their tickets, essentially creating a ticket license that excludes StubHub and others from participating.  But I couldn’t help but ask ‘How is this PCI compliant?’

Obviously my credit card Primary Account Number (PAN) was used to identify my ticket transaction and complete the purchase.  The PCI DSS is required whenever the PAN is stored, processed or transmitted.  Of course Ticketmaster crossed that rubicon long before, with the initial purchase and online account creation.  I am confident that Ticketmaster has policies and procedures in place to meet the PCI DSS standard.  But as we know, neither this nor certification ensures compliance in all instances.

My concern is that extending the use of the PAN for purposes of authentication at venues is a huge increase in risk exposure, as well as the scope of assessment.  Granted, Ticketmaster has offices at the venues where paperless tickets are  used and is likely in control of the hardware assets being used.  But these are usually contractual arrangements with the venue.  Further, venue managers often contract with other entities for security and other staffing needs during special events.  Ensuring compliance through these contract relationships is much more difficult.

Certainly this process can be PCI DSS compliant with the proper application of encryption and policy enforcement.  But as a IT Security professional, I would prefer to minimize risk and avoid the use of the PAN where possible.

As a concert attendee, I would much prefer a ticket in hand.  Perhaps I am waxing nostalgic as I recall the concert tickets of old that featured album art, artist photographs, reflective ink, and theater specific attributes that made them appeal to me enough to consider them collectors items.

What do you think?  Is the convenience of a paperless ticket worth it?