Booker Security Policy
Booker Software, Inc. ("Booker", "we", "us" or "our") has created this security policy ("Security Policy") in order to demonstrate our commitment to safeguarding our customers’ data using commercially reasonable and appropriate security controls for such data that we obtain from you on our mobile sites and applications, www.booker.com, api.booker.com, and/or app.secure-booker.com (the "Site") and the services, features, content, or applications we offer (collectively with the Site, the "Booker Service" or "Service").
We reserve the right to change this Security Policy from time to time. Your access and use of the Site and Service is subject to the Security Policy in effect at the time of such access. If we make material changes to our security controls, we will notify you by posting an announcement on the Service or sending you an email; and we will post the most up-to-date version of this Security Policy at www.booker.com/security-policy. Please review this Security Policy frequently to remain informed of Booker’s information security practices. You are bound by any changes to the Security Policy when you use the Service after such changes have been first posted.
We take the confidentiality, integrity and availability of our customers’ data seriously. As part of this effort, we have established a dedicated Information Security team, tasked with all aspects of security: from the physical security of corporate offices and data centers, to the development and operational areas of Information Technology.
Booker Software is a PCI Level 1 Service provider and merchant, and must maintain compliance with the PCI DSS standard. Booker Software is listed on the Visa CISP website.
Our information security program is a comprehensive risk management and governance framework designed to assess, educate, protect, detect, and respond to security incidents. It includes controls and procedures from the PCI-DSS standard and other industry standards and best practices.
We conduct automated scans of all our corporate, non-production, and production environments, looking for missing patches and vulnerabilities. We do similar tests on our web applications, including regular penetration testing exercises performed by highly skilled ethical hackers.
We follow alerts issued by various vendors and security groups, especially related to newly found vulnerabilities, also called zero-day vulnerabilities.
We maintain anti-virus, anti-malware, and anti-intrusion controls on all our systems and networks. We review our firewall traffic on an ongoing basis and firewall policies periodically to ensure we only allow legitimate traffic in.
We protect data in transit with strong encryption and selectively use data at rest encryption, tokenization, and data masking.
We use other controls, including but not limited to multi-factor authentication, user lifecycle automation, DDoS protection, web application firewalls, proxy inspection, redundant providers, risk assessments, audits, and contractual provisions.
All security data is analyzed by a dedicated Security Information Event Management system and the Booker Security Team.
Our hosting providers, Rackspace and Azure, are PCI compliant and have completed the industry standard SOC 1 and SOC 2 certifications. This includes controls and processes such as multi-factor authentication, role-based access controls (RBAC), highly redundant utilities, and a strict change management processes.
More information can be found at:
Recommended Best Practices For You
While Booker meets the PCI requirements of a service provider, you also have your own PCI obligations and other recommended security practices that you are responsible for:
- Maintain a PCI compliance program commensurate with the number of transactions processed.
- Maintain an appropriate level of security (both physical and logical) for all local systems (including but not limited to networks, desktop computers, swipers, tablets, and mobile phones) involved in possible storing, processing, and transmission of credit card data.
- The security program should include, but is not limited to:
- Installing appropriate anti-virus and anti-malware protection;
- Enabling web browser auto-updates;
- Implementing a robust operating system and software patching process;
- Implementing a good user and password management process, including periodic password changes, deleting user accounts promptly after staff departures and so forth;
- Replacing old peripherals and hardware with more modern and secure alternatives
- For example, replacing systems with non supported operating systems
- For example, replacing swipes with EMV devices
- Using the Booker system as designed; and
- Notifying Booker immediately (email@example.com) of any suspected compromise or unusual account activity
- Leverage Booker system security controls, including:
- Use supported web browsers that meet Booker’s system requirements:
- Configure web browsers to prevent saving passwords:
- Create unique user accounts with password change required on next login:
- Assign users roles with the minimum amount of privileges required for their job:
- Understand optional and report permissions:
- Restrict access to customer data if there is no need for team member to view:
- Use the default password rules to force password expiration every 90 days:
- Use a short session timeout:
- Use IP lock to restrict where the Booker Site can be accessed from:
- Review User Login, Override Reasons, and other reports to monitor user activity:
- Use at least TLSv1.2 when connecting to the internet:
- If you are subject to EU GDPR, configure and use the recommended features:
How to Contact Booker
If you have questions about Booker’s security, please email us at firstname.lastname@example.org.
Effective Date: This Security Policy is effective as of December 12, 2018.