• Eventbrite Security & Safety Guide


PCI Compliant

Eventbrite complies with PCI-DSS 2.0 Level 1 as both a Merchant and a Service Provider.

  • Registered with both Visa and MasterCard as a PCI-compliant Service Provider.
  • Regularly audited by a Qualified Security Assessor (Coalfire, Inc.)
  • Passes internal and external application and network penetration testing performed by independent security firms.
  • Scanned daily by an Approved Scanning Vendor (ASV)
  • PCI Attestation of Compliance (AOC) and Quarterly Scan Attestation of Compliance are both available upon request.
  • Eventbrite employs a cross-functional team responsible for oversight of PCI Compliance.

Privacy

Eventbrite maintains a comprehensive privacy programme. To us, this means that although we are required by law or regulation to do certain things, we are continually evaluating whether we can and should do more.

  • We do not sell the personal information of our customers to third parties.
  • We have a full time legal and security team focused on privacy and security issues.
  • We voluntarily participate in the US-EU and US-Swiss Safe Harbour frameworks that require us to treat EU personal data with a higher standard than that required under US law.
  • You can find our privacy policy at: eventbrite.co.uk/privacypolicy.

Hosting Environment

Amazon EC2 hosts Eventbrite's production systems.


Web and Mobile Application Development

Eventbrite is committed to designing, building and maintaining secure systems.

  • All applications are regularly scanned for common security vulnerabilities including the OWASP Top Ten.
  • Regular training on Secure Coding Practices is provided. All engineers must attend training sessions.
  • No credit card information is permitted to be stored on any mobile device.
  • Use of encryption for both storage and transmission of sensitive information is regularly audited by the Eventbrite Security Team.
  • All web and mobile applications are primarily developed, tested, deployed, and maintained by a full-time, in-house engineering team.

Encryption

Eventbrite uses strong encryption methods and key management procedures to ensure your sensitive information is protected.

  • All credit card information is encrypted with strong industry-standard cryptographic protocols such as AES and SSL while in transit through our systems.
  • Eventbrite's website and APIs are accessible via a 256-bit SSL certificate issued by Digicert.
  • Credit card information is never stored after transaction authorisation.
  • Access to encryption keys is held by the smallest number of Eventbrite employees possible.

Our Organisation

Eventbrite has taken appropriate measures to vet our employees.

  • All employees are subject to reference, education and other personnel checks. Certain employees are also subject to detailed background checks.
  • Eventbrite maintains an information security training programme that meets PCI-DSS standards and complies with the Massachusetts Privacy Law (201 CMR 17).
  • Knowledgeable full-time security personnel are on staff.
  • Require written acknowledgement by employees of their roles and responsibilities with respect to protecting user data and privacy.

Incident Response

While we don't anticipate there ever being a breach of our systems, we know that no computer system is perfectly secure.

  • In the event of a breach of an Eventbrite information system, we have a detailed Incident Response plan in place.
  • Periodic testing of the response plan.
  • Eventbrite has 24x7 monitoring of its security systems and alerts.

Research and Disclosure

If you discover a vulnerability with Eventbrite's information systems, report it to us first!

  • Report details to security@eventbrite.com.
  • Include full details and steps to reproduce.
  • Do not attempt to harm Eventbrite, its users, or customer's data.
  • Allow reasonable time for Eventbrite to resolve the issue before publishing findings publicly.
  • If you wish to encrypt your email, use Eventbrite Security's GPG Key:
  • Recognition by listing on the Eventbrite Security Wall of Fame
  • Key ID: 351AC626
  • Key Type: RSA
  • Key Size: 4096
  • Fingertprint: 1809 8001 2CFF E338 E92D 8723 9CA7 08B5 351A C626
  • Email: security@eventbrite.com

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBE/iLWUBEADEkM+z/Oa2hBdiHKeDmeFdLlum5d0YGDKA75SWZ/MDlgC+sXZQ
Iwrx9pVPkWjzWANoBsfdd5rq277UlO+TIzcegSmX/8qOQ7lkAhQCt6IFNS2JsTqi
zof94pNCr5EU0Be3FZHwqRfgSjqNH8zqlOoHNIgVCVpwfhIt08pGxQ8HsYVzZeWg
ymMbSURNB4qe6tUxsiW+/z+LmGUHhlKrcYgpsCJwofuRihgJ47D/SvkmnjHE8CpN
VXgSOe/OxGkd/AbnYU+67d2p2GSlA4g3F0WLhT5W05zpcKI3RNOzaVeMo/xaVlBc
hmYMst0JhmIo39MTdtzNe4zzgslMrv4zqhVSMjoOa2H527asY3wB39nuyHMuNjwa
EHQTnTnOqcFq8UhCe1B0LsvrUeH+1LVajcnd6X+uIww5a+3yKbJdJvEHvEOjGgrd
rsAyMU89GG2JCduH/ZZq4rueZ1VH6NRpZNzda22EsVQNqFYLI840yVbzgEpNrQyD
95Uj72KL59v8F7sFdQbxiAUlBCrRSzaDHn3N4FFj9PzHhBjlOFAcKcTQda0k3Q0p
idwqSMIE65ES2Ykeo4/KVofAALOuyAbjX25r+7TkbJSne/fqtRIe5dymdg9r/QBn
ZTJfJMLNsBtxr79KNuA744COXZlzTQ4qdAtUSoVTLn79I1MJSf8wqvuh5QARAQAB
tCpTZWN1cml0eSBDb250YWN0IDxzZWN1cml0eUBldmVudGJyaXRlLmNvbT6JAjgE
EwECACIFAk/iLWUCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJynCLU1
GsYm1U0P/3T4MRl2BctVhVouuV90LpPhwhGear9yoVXM0bgZnTmITVRKQOD7cnxr
XUKAhMd3AootFBpQ9L5+0sW4PtzwNhHzqt5PBChuiG/IVWWU5WxxrjBG4jb3xQ1M
KxQFGj/sJboHXlPIAt3bDap39RxJggROJMqswHZj4xH60z/z31b5khoKUr4mK56x
ZviU3nDuVvR4J/hJ8o7R94nf7NidsgQSjNLWhGcGibj9XpVvE7l7YKG3vj+oSJ6p
gBUzXN27xl9OamraIEwlJk8kPHlBGyZcew6n2shfG8mGF8Xv/XsZHTvebUJVZO1f
ZhIjNtT9ZBrRdN9v7YIEzyFyxAfoDgE95RZbV0H2Kgl5h5sHRx2ldRfmywm1tRx7
FrTJRLUe8UXdTAZqgkRMp9x47VjYaiqLOAn9C6twgFl11rAARc9XJETsWTZm0RD6
v6PljJgSuQWVsiKZGy6ir2e7+gxcPccbbUbij+YwWam0ymwfgMnTpHFKpGUdkBk4
Y8iXucUJ/V4mKYmH5OFkG/2PIwdhkdpPj1slqU8pu5PrSFgY2lcKqq192gr7MvLJ
ARVUGq3jElnhOgNB3cP0Eg7v0KoU0Bsuq4pDqfHpgE+uYMBkXW09uu6PDZVDpyEJ
bFxbpjIlqFej2kOM3yGDzOhRXNPFyAQmv72XqeGN37nqLx11WLR5uQINBE/iLWUB
EADHcje1FAyryLoDVozWf8vV9snX99lpH8tUtSQOYA+4JUOjODm5OA0mzs4nlQun
4Mn9QTl1A6g7bIrxE4rZeAvCyE27tqyyHUSDjs6j2ur5S9oDcRo2k44+0C7rGirj
BLetZ3axQ15DP4FKPOE1Hs5EewhthiZkQ9DwbS1iXZjH2cPUPjwH+KVNP+L/TM7d
WqLcqW/f5Eu0MxgQWajmkBqX2k1HTRmsYeKUqRZ8/7gr7gkbro5t0qbn8wPiJR2f
IzN40ky9T705obM+AxcnLAGwJ/T/Y1zoEiECLC97t1om7V0cYQn4h0fqnuVJLGF/
uMLW5hPp+2sOVuY5lPJS6zU5c+jRl/L6Xcbou5kuYW+v9RWc+ubfVer/qAW7LNnk
4ILr+2YVQMBeMZqF04YSRrCe8IuzP/JDAssKKSWE/tEUMwnSr6m9MBF54RERIJk4
zJ6jwIJTF532X0Z7Doi0trHKeHQGIiAzF4t4JBvei1b9B10eWy1XASu3DL4s0zfD
ck1Fozk8f1N3RqNfWi9eIO27AlGbjLGXiQCe8S7PIuIvNcYSSsxmsfz0bcldsKeV
pEd+Iij3BD/orkXYcpypYQ4M6MsibtvtJti6jQUwsJghLxSdqKM8xsN1k+ojJi1V
izguoYs245vmUjwqglGDQukzh+KVcF97rA5A4ZJ8KFkgiwARAQABiQIfBBgBAgAJ
BQJP4i1lAhsMAAoJEJynCLU1GsYmnXkQAKcPGqAgmWe5wLjfBde4gG8O2OSr33eu
4vmkWRKQ6kLrl2DDHR4sv4P7tZZ/YFG/IZlOEBplTVlOvxzfW6IEuEajhw2DoXh2
sO3de4soUli8M1XzceV+k5h+ZXt/7shNEoslMfdss1D84FGH33dUOzkgM6mUv2Pf
luoKOw47PeYAQPc4PuvkIiXBI0TGClRD47gyZRtegpg4lt5IaOTj6XhyTbOGHC0G
sxC3IAELRbpj6r6yNfQn70/6xFLhG1EqkUF2Ps4mqZsIxzAWt1nFrvntpUKZec96
aaKq977bM0PFWcLGNccfSEuZm2XbidjHbGvNx/d9d/nlKnMDyVeIy+OGqXB7lVow
yt/DAYq0xbe/9zHXNTGR9isY2Ls/e2tDLLyWArBQ0hsQrASzYUIPq8XIV/Cqqv17
1sJqvKPhOLuu1brjpjgigIXPrlrUQ2Ef16DmMqciSNuRViFfrV4P7gSGXsiiClxW
OH0TK5T5BUpHEzk6aGPO747tMRRsWxENi+Vk90xpjnQkw8JBa+tmGP1RxVnHBNfL
1f34LfabVbF/pcFCWb3rHTEtkd0IzhWl4Vg8lGuuSmBFGCKtPVMBW4uq7FQDqjlF
JV8RBRCmRiYjsEpiQlWDiWz38oek/sRC79mh0BmY0b83IUZUpX6Tbtv8beXLXL7x
k6k68scDc8ou
=j7+z
-----END PGP PUBLIC KEY BLOCK-----