The Santa Fe Opera is considering the pros and cons of tokenization, and we would like to know if your organization has tokenized its credit cards. If so, I would appreciate your sharing any challenges you encountered during this process with respect to the Credit Card Tokenization and Deletion Utility report and subsequent processing in Tessitura.
Thank you.
Mary Neff
Tokenization has been great. Honestly, I don't think we could handle the PCI ramifications of not having it anymore.
Now, P2PE (peer-to-peer encryption) is a different matter. Also critical to our PCI objectives, but there are some very, very significant negatives.
If you give people access to non-P2PE card payment methods, then they will always be able to enter cards directly into the system, breaking the PCI concept of only being able to enter them using the P2PE devices. If you don't give them access to non-P2PE card payment methods then they will be unable to process new transactions or any refunds (even by reference!) that were not made with exactly that P2PE cart payment method. Your web transactions will not be with a P2PE payment method by definition. I don't know about you, but that's 60+% of our transactions, which means that show cancellations (we have a minimum of one big one a year) are a double nightmare. This is not a problem with non-P2PE card methods (our box office never had access to the web card payment methods), so I don't know why this has to be like this.
If you give people any access to the card tab in the Transactions tab on the constituent record, then they will be able to enter cards directly into the system. There is no P2PE option for this tab, unlike orders or contribution entry. If you don't have access to this feature you will not be able to update cards for other things, such as name or expiration date. This should be less of an issue now (i.e. v15), but initially it was a big problem as we were not getting names or correct expiration dates back from tokenization, and then Tessitura was short-circuiting charge attempts because it was detecting that the apparent expiration date was expired. You still can't proactively update with new expiration dates, however.
We're now fumbling (slowly, painfully) into Hosted Payments for TNEW. Configuration has, so far, been a huge pain, and I still don't really understand what is going on. Our tests, however, haven't raised any major issues, but we are getting a weird thing where the card number segments coming back are screwed up. We get the first six (who even wants that?), but the first two numbers of the last four (which everyone uses) are being masked out. I have an open ticket with Tessitura, but no resolution yet.
I'm remembering on issue with Tokenization. If I remember correctly, we were originally on Vantiv, I mean Worldpay, and it was going to be very expensive. You have to be a little careful: most of these companies are designed to support a coffee shop or the like, so they'll say, "Oh, save money by only keeping card numbers for two weeks!". Vantiv may have even had a fairly severe cutoff for maximum time. I mean Worldpay. We moved to Payment Express, I mean Windcave, I think in part because they were less expensive. But also we have a business model (and many Fine Arts organizations might) where we may need to keep a card for 18 months in order to potentially run a refund (that's how far in advance we might sell a ticket under the right circumstances). So that's something you'll have to figure out for your organization, and be on top of when configuring your tokenization setup, even with Payment Express. I mean Windcave.
Gawain Lavers said:even with Payment Express. I mean Windcave.
"Payment Express becomes Windcave. Our new name and logo are elegant and distinct, and will stand out proudly as we expand on the global stage." :-D
I got a good laugh out of this due to the "Vantiv, I mean Worldpay" asides. Definitely lived that whole switch over and it was not exactly funtimes.