BASS Online, is Australia's first online event ticket sales service, in production since March 97. Since then, over $300,000 dollars worth of tickets have been sold, and several hundred emails have been sent to the BASS Online feedback address. This short paper will examine the positives and negatives of that experience to date, and relate them to national policy issues such as those being addressed by the National Office of the Information Economy in the areas of authentication, security and privacy.
Tickets are sold via counter sales through a network of agencies, over the phone, by mail and fax and, since March 1997, over the Internet. Every transaction is processed on a central server running ticketing software supplied and supported by an international software house based in Sydney.
The second driver was to experiment with electronic commerce in providing people with an easy to use, safe, service that would enable them to purchase tickets without the need for manual intervention. BASS Online has now repaid the original investment. Given current on-going and maintenance costs, it is the lowest cost per ticket sales channel that BASS is operating.
The development of BASS Online was financed with seed funding from the SA Government as part of its effort to foster the develop of online services and electronic commerce. All the development work was done in-house at the Adelaide Festival Centre, with the exception of enhancements to the ticketing software which is used by BASS. These enhancements enabled the development of Web server scripts which would interact with the backend system. On average there are about 200 events on sale, each event having a range of dates and prices. This adds up to a large amount of constantly changing information. One of the major features of the system is that the all the information pages on the Web server are up-dated every three hours with no manual intervention.
The key to developing a system that is now inexpensive to maintain was to ensure that it was tightly integrated with the existing ticketing software. In addition to the obvious advantage of having to maintain only one inventory system, a major spin-off is that BASS is able to use the same credit card authorisation process that it uses for telephone and mail sales. This ensures that invalid credit card numbers cannot be used, and transactions using card numbers that have been reported as lost or stolen are also denied.
BASS is fortunate in that there is a lot of print and TV advertising by its clients for their shows which tell people how they can buy tickets. More and more of them are including the Web address. This especially applies to events promoted by the Adelaide Festival Centre where its marketing department ensures that the URL is included in all advertisements. This has the effect of driving a steady stream of new customers to the Web site. The number of people who are using the service to get information about events, dates, times, prices etc., is steadily increasing. The increase in Internet sales is more gradual, but significant. At the end of December 1997, after 10 months in operation, the ratio of Internet sales to telephone sales was 1.7%. So far this year the ratio is almost 3%, with average ticket sales per month up 37% from 420 tickets to 575. The proportion of tickets sold via BASS Online fluctuates, with the ratio in May 98 going down to 1.8%, while the August rate was almost 4%. It appears that when there is a high proportion of events on sale that are targeted to a younger audience, e.g. rock music shows, the proportion of tickets sold via the Internet increases.
I am concerned about the promotion of complex systems which insist on customer authentication. The most prominent of these of course is SET (Secure Electronic Transactions), promoted by Visa, MasterCard and various partners. See Visa's Web site (Visa International 1998).
My concern is that SET will add complexity to what is, for a lot of customers, already a complex process (that is logging onto the Internet, finding the Web site etc.) and will do nothing to improve the response times of the systems involved. Merchants like us with a background of experience in phone and mail orders are prepared to keep on taking the same risks with Internet purchases for the sake of providing customers with an easy-to-use quick service. SET will not be easily integrated into back-end inventory control systems or existing credit card authorisation services used to verify transactions in the traditional sales channels, which is a major disadvantage for merchants wishing to use one system for their various sales channels.
A much simpler and cheaper development than SET is the Visa Net Address Verification System that operates in the United States and probably in other continents. This service allows the merchant to verify that there are not major discrepancies between the shipping address supplied by the customer and the address held by the bank as that of the owner of the card. It is commonly used by mail order, phone and Internet retailers in the States. A similar service in Australia would go a long way to giving Australian merchants some assurance that the goods that had been ordered from them over the Internet are not about to be shipped to a defrauder instead of the address of the owner of the card.
At one stage late last year BASS had a run of attempts using valid credit card numbers by people who did not own the cards involved to buy a series of tickets to a number of events. By monitoring the names, telephone numbers and e-mail addresses of the people involved, the business had no loss because it simply didn’t ship the tickets to them. My concern was that the state police did not receive, in time, co-operation from the Internet service provider involved. If this co-operation had been forthcoming, and the police were able to work with that provider, I have no doubt that the culprits would have been caught and charged. So maybe there’s a need to look at the legislation controlling the whole area of fraud prevention and detection, especially as it relates to those people who have information which could lead to arrests having some onus placed upon them to co-operate with the law-enforcement agencies.
Of course security and privacy are real issues. As I said above, I yet to be convinced that SET as it is currently being promoted is an appropriate answer to these concerns from either a merchant or a customer’s point of view. The existing and widely used SSL technology, with digital certificates issued by third parties to merchants, do allow customers to identify the merchant with whom they are dealing. The problems here relate to public awareness. An Australian national authentication authority, as proposed in a recent National Office of the Information Economy discussion paper, (NOIE 1998) combined with an effective public awareness campaign about Internet security technologies, could well go a long way to providing consumers with the assurance that we know they need.
Consumer confidence in the security of their financial transactions is of course related to the issue of privacy and how data supplied by consumers is used by businesses. The tendency in the debates about electronic commerce, however, have been to concentrate on the transmission data by customers over the public Internet to the merchant. There is obvious reason for this of course, this the Internet, its new and scary and used by people who do some not-so-nice things.
But there is a need to focus some scrutiny on what happens to the data once its received by the merchant. The Federal Government is currently considering privacy guidelines which would encourage business to adhere to certain standards about how they store information and how they use information about their customers (Privacy Commissioner, 1998), but the question of how compliance to guidelines can be verified also needs to be addressed.
With BASS Online stringent efforts have been made to ensure that there can be no unauthorised access to information held about its customers, and it keeps to fairly strict guide-lines about how it uses that information. But it has no way of proving this to its customers. Perhaps the Government could be instrumental in developing systems by which merchants such as BASS could be accorded a quality label in relation to its security and privacy provisions. This could be by way of a third party, endorsed by a national authority, as being qualified to issued certificates of conformance to appropriate security and privacy standards.
Privacy Commissioner (1998) "National Principles for the Fair Handling of Personal Information", Office of the Privacy Commissioner, Australia, February 1998: http://www.hreoc.gov.au/privacy/natprinc.htm
www.consult pty limited (1998) "Australian Internet and Electronic Commerce Market Overview", Australia, ? 1998, a report issued to participants in a survey of Australian enterprises. Similar figures were included in a July 98 press release; http://www.consult.com.au/online5.shtml
Visa International (1998), "SET: The Key to Safe Shopping", http://www.visa.com/cgi-bin/vee/nt/ecomm/security/set.html?2+0