Security Guide

PCI Compliance and Payment Handling

• Compliant with PCI-DSS 3.2.1 Level 1 as both a Merchant and a Service Provider.
• Registered with both Visa and MasterCard as a PCI-compliant Service Provider.
• Annually audited by a Qualified Security Assessor (BDO USA, LLP).
• Passes internal and external application and network penetration testing performed by Marcum Technology.
• Scanned daily by an Approved Scanning Vendor (ASV), Tenable.io.
• PCI Attestation of Compliance (AOC) and Quarterly Scan Attestation of Compliance are both available upon request.
• Credit Card data is never stored by TicketLeap.
• Where possible, Ticket utilises credit card tokenization for minimising risk related to cardholder data.
• TicketLeap provides organisers with the ability to opt into using EMV with point-to-point encryption (P2PE) for payment processing.

Privacy

• We have a full time staff focused on privacy and security issues.
• We participate in and comply with the EU-U.S. Privacy Shield Framework. You can find out more about our commitment to the EU-U.S. Privacy Shield Framework in our EU-US Privacy Shield Notice.
• TicketLeap processes user personal data in accordance with GDPR's data protection principles and has appointed a Data Protection Officer to oversee our GDPR compliance.
• You can find our privacy policy at: https://www.ticketleap.au/legal/privacy-policy/.

Hosting Environment

• TicketLeap uses carrier grade data centres that meet the following certifications:
  • PCI-DSS Level 1 Service Provider
  • SOC 1 Type II and SOC 2 Type II
  • ISO 27001

Software Development

• All TicketLeap software engineers receive software security training that covers security best practices including OWASP Top Ten as well as Mobile Security best practices.
• TicketLeap uses static code analysis tools to analyse code for security vulnerabilities.
• All TicketLeap source code is developed in accordance with a standard SDLC process that includes:
  • A software and security code review before being shipped to production.
  • Running through a continuous integration test suite.
  • Manual QA testing.

Encryption

• All web traffic is encrypted by TLS 1.2 or greater.
• TicketLeap follows NIST recommendations for hashing, symmetric and asymmetric encryption.

Organisation

• All staff regularly receive security training by trained professionals and must pass security quizzes testing their security awareness.
• All staff regularly receive simulated phishing tests.
• All staff must sign off on security and acceptable use policies and procedures.
• All staff are subject to detailed background checks.

Security Vulnerability Responsible Disclosure

• TicketLeap encourages the responsible disclosure of security vulnerabilities by offering a reward program for security researchers. The terms of this program are defined in the Leap Event Technology Security Vulnerability Program.