Booker Security Policy
Booker Software, Inc. (“Booker”, “we”, “us” or “our”) has created this security policy (“Security Policy”) in order to demonstrate our commitment to safeguarding our customers’ data using commercially reasonable and appropriate security controls for such data that we obtain from you on www.booker.com, our mobile sites and applications, and/or on app.secure-booker.com (the “Site”) and the services, features, content or applications we offer (collectively with the Site, the “Booker Service” or “Service”).
We reserve the right to change this Security Policy from time to time. Your access and use of the Site and Service is subject to the Security Policy in effect at the time of such access. If we make material changes to our security controls, we will notify you by posting an announcement on the Service or sending you an email; and we will post the most up-to-date version of this Security Policy at www.booker.com/security-policy. Please review this Security Policy frequently to remain informed of Booker’s information security practices. You are bound by any changes to the Security Policy when you use the Service after such changes have been first posted.
We take the confidentiality, integrity and availability of our customers’ data seriously. As part of this effort, we have established a dedicated Information Security team, tasked with all aspects of security: from the physical security of corporate offices and data centers, to the development and operational areas of Information Technology.
Booker Software is a PCI Level 1 Service provider and merchant, and must maintain compliance with the PCI DSS standard.
Our information security program, built mainly around industry-standard PCI compliance, is a comprehensive governance framework designed to educate, protect, detect and respond to security incidents.
We conduct automated scans of all our corporate, non-production and production environments, looking for missing patches and vulnerabilities. We do similar tests on our web applications, including penetration testing exercises performed by highly skilled ethical hackers, as well as code scanning.
We also implement anti-virus and anti-malware protection on all our devices. We review our firewall policies periodically to ensure we only allow legitimate traffic in.
We protect PCI data at rest and in transit with strong encryption, following best practices and applying all relevant fixes when zero day issues are detected.
Booker employs various intrusion detection technologies at the network and system level. These are designed to alert us to possible malicious activities or malware infections targeting our networks and systems.
We are also following alerts issued by the various vendors and security groups, especially related to newly found vulnerabilities, also called zero day vulnerabilities.
All access to our production data center requires two-factor authentication.
Our hosting provider, Rackspace, is PCI compliant and has completed the industry standard SOC 1 and SOC 2 certifications. This means their security processes are compliant with very strict criteria for service organizations.
Recommended Best Practices For You
While Booker meets the PCI requirements of a service provider, you also have your own PCI obligations and other recommended practices that you are responsible for, specifically:
- Maintain a PCI compliance program commensurate with the number of transactions processed
- Maintain an appropriate level of security (both physical and logical) for all local systems (including but not limited to networks, desktop computers, swipers, tablets, and mobile phones) involved in possible storing, processing and transmission of credit card data.
- The security program should include, but is not limited to:
- Installing appropriate anti-virus and anti-malware protection;
- Implementing a robust software patching process;
- Implementing a good user and password management process, including periodic password changes, deleting user accounts promptly after staff departures and so forth;
- Using the Booker system as designed; and
- Notifying Booker immediately (email@example.com) of any suspected compromise or unusual account activity
How to Contact Booker
Questions regarding this Security Policy or the security-related practices of the Site should be directed by sending an email to firstname.lastname@example.org.
Effective Date: This Security Policy is effective as of February 16, 2016.