How Does Keep Your Information Secure?

At, we know how important the security of your personal and organizational information is to you. That’s why we’ve developed a comprehensive, constantly improving system designed to protect our travelers and their information. follows standards-based practices to protect sensitive data throughout the booking, travel and expensing process. To do this, we operate on the principle of “by design,” where security is built in from the beginning of our initiatives, designed to keep the safety of your information constantly at the forefront. Most importantly, we will only take your information when we need it and we will only pass it on when necessary.

We are proud of our many security measures, but we’re not stopping there, and you shouldn’t want us to

For those who want to read the nitty-gritty of how we operate, please reference the overview of our security policy and protocols. And, of course, as with anything about, we are happy to speak through any of this in person, just let us know. Information Security Overview


The following is a brief summary of’s practices relating to information security. is constantly reviewing and updating its practices, and as such,’s practices remain subject to change. 

Section 1: Install and maintain a firewall configuration to protect cardholder data maintains firewalls to help control computer traffic allowed between’s networks (internal) and untrusted networks (external), as well as traffic into and out of certain areas within’s internal trusted networks. Firewalls examine all network traffic and block those transmissions that do not meet the specified security criteria. maintains policies addressing the control, implementation, maintenance and replacement of the active firewalls at These policies are designed to ensure that connections between untrusted networks and system components are restricted for all sensitive data holding. 

Section 2: Do Not Use Vendor Supplied Defaults for System Password and other Security Parameters

Malicious individuals (external and internal to an entity) often use vendor default passwords and other vendor default settings to compromise systems.’s process for on-boarding vendors includes changing vendor-supplied defaults for system passwords and other security parameters before systems are installed in the secure network environment (cardholder data network).

Section 2.1: System Configuration and Hardening Standards requires documented standards to be developed that address all system components and address known security vulnerabilities for systems used in the cardholder data network. 

Section 2.2: Use Secure Protocols for Non-Console Access

  • Industry standard encryption must be used for any non-console or web-based management interface used for administration of systems or system components.  

Section 2.3: Shared Hosting Providers

  • Shared hosting providers are contractually required to protect each entity’s hosted environment and cardholder data. 

Section 3: Protect Stored Data

Protection methods such as encryption, truncation, masking, and hashing are critical components of’s sensitive data protection. This sensitive data includes credit cards, known traveler numbers (KTN), password Numbers and redress numbers.  If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the encrypted sensitive data is unreadable and unusable to that person.

Section 3.1: Retention and Disposal Policies of Sensitive Data

  • maintains active policies and offers annual security training on acceptable retention and disposal policies. Within these policies are the encryption requirements for any sensitive data. will only ask for information, especially sensitive information, when it is required for to 

Section 3.2: Mask Sensitive Data in Displays Wherever Possible 

  • Credit card data and other sensitive data will be masked in displays wherever possible. 

Section 3.3: Cryptographic Key Management Policies

  • maintains a Data Encryption and Key Management Policy which includes details for processes and procedures for encryption key management. All employees working with this data are security trained and are required to sign to acknowledge their responsibilities at least once a year.

Section 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks has policies requiring security protocols be used when sensitive information is transmitted across open, public networks. The policies contain specific encryption standards as well as data transmission protocol for the protection of sensitive data.

Section 5: Protect All Systems against Malware and Regularly Update Anti-Virus Software or Programs uses anti-virus software on certain devices or systems that might be affected by malicious software. These programs run actively at all times and are regularly updated.

Section 6: Develop and Maintain Secure Systems and Applications is committed to developing and maintaining secure systems and applications. 

Section 6.1: Vulnerability risk ranking process

  • maintains an intrusion detection system which scans our cloud based environment for potential threats or abnormalities. In addition, uses external vulnerability and penetration management vendors to periodically scan the environment. Maintained policies outline exactly how any risk factors identified will be managed in accordance with their severity.

Section 6.2: Regularly update systems and software

  • is committed to updating necessary patches in timely fashion.

Section 6.3: Secure Software Development 

  • Software Development Life Cycle Process contains policies designed to ensure software is developed and tested in a secure manner. This process includes change control procedures and a required separation of duties for any sensitive data handling.

Section 7: Restrict Data Access by Business Need to Know monitors system and application usage internally, assigning rights and permissions on the basis of business need to know. Dependent on the type of data being held, the system will be subject to periodic reviews at an appropriate frequency.

Section 8: Identify and Authenticate Access to System Components requires unique IDs for any sensitive data access, which are assigned, modified and removed through a New Hire/Role Change/Termination process. 

Section 8.1: User Authentication Methods

  • uses common industry methods to verify user identity before modifying any authentication credential (for example, performing password resets, provisioning new tokens, or generating new keys.) 
  • Passwords or phrases must meet the following: (Addresses PCI DSS Requirement 8.2.3)
    • Require a minimum length of at least seven characters
    • Contain both numeric and alphabetic characters
  • Users are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/phrases they have used.  
  • All first time use and reset passwords are set to a unique value for each user and require immediate change after first use.

Section 8.2: Two-factor Authentication

  • In addition to assigning a unique user ID, requires that access to systems holding sensitive data have a multi-factor authentication overlay in place requiring the use of at least one of the following: 
    • Something you know, such as a password or passphrase 
    • Something you have, such as a token device or smart card
    • Something you are, such as a biometric information

Section 8.3: Other Authentication Mechanisms

  • Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows: (Addresses PCI DSS Requirement 8.6)
    • Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts.
    • Physical or logical controls must be in place to ensure only the intended account can use that mechanism to gain access.

Section 9: Restrict Physical Access to Cardholder Data has a documented policy regarding physical access to sensitive data. holds all sensitive data within an AWS hosted environment, negating any need for physical access by any employee or affiliate.

Section 10: Track and Monitor Access to Network Resources and Cardholder Data

Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs. monitors and logs access to sensitive data based on identified parameters designed to identify the user and nature of the access. 

Access to the logs is limited, and the logs are retained in accordance with business and legal requirements.

Section 11: Maintain a Security Policy that Addresses Information Security for All Personnel

A strong security policy sets the security tone for and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it, which is addressed in the Lola “Written Information Security Policy”.

Section 11.1: Security Awareness Program

  • uses a combination of internal training and third-party sourced materials, as per it’s internal Information Security Policy, to help ensure all employees are aware of best practices in data handling. This training varies by role and may include OWASP security training and require signed acceptance of the responsibilities of safe data handling at

Section 11.2: Background Checks

  • Employees with job roles requiring access to sensitive data receive background checks, to the extent permissible under the law. 

Section 11.3: Policies for Sharing Data with Service Providers

  • requires due diligence when engaging with any new service provider. has a documented approval process led by the Legal and Compliance teams which is required for any new third party vendors, with additional levels of scrutiny for those that may handle any sensitive data.

Section 11.4: Incident Response Plan Policies 

  • is committed to the safe handling of all data but in case of incident, maintains an Incident Response Plan containing incident revaluation, documentation, remediation, and notification guidelines.