If you must travel, travel safely. For contactless travel, use digital tickets on your phone.

Trainline Security Overview

The protection and privacy of your data is our top priority, so we’ve developed this overview to explain the steps we take to keep you secure.

We’ve maintained Level 1 PCI DSS accreditation, both as a merchant and as a service provider, since 2013. We’ve also been Cyber Essentials certified since 2017, and in 2018 successfully completed Crown Commercial Services’ comprehensive security accreditation process – allowing us to provide services to the UK government and other public-sector institutions.

Confidentiality

We use a 'defence in depth' approach to security. That means your data is constantly protected by complex layers of physical, technical and administrative security controls.

When you visit our website or use our app, we use advanced encryption to protect the transmission and storage of data between your devices and our servers.

Integrity

We protect our systems and your data within industry-leading, accredited data centres, operated by Amazon Web Services (AWS), which are located in the European Economic Area (EEA).

AWS’ data centres have round-the-clock physical security and strict controls for logical and physical access.

Thanks to strict access controls, system logging and monitoring, your data can’t be accessed or modified by anyone except you, or strictly authorised Trainline personnel and suppliers, who need access to provide you with the service (e.g. Customer Relations).

Availability

Our systems are mirrored across multiple sites (AWS availability zones), each of which have backup power supplies and networks. This means, in the event of natural disasters or system failures, our systems can remain fully functional.

We continually log and monitor users and systems to identify potential security issues, or any trace of unauthorised activity. Our operations and Incident Management team are on call around the clock. We provide a commitment to our customers that our services will achieve at least 99.9% operational uptime.

Data privacy by design

We’ve designed our services from the ground up, to protect your privacy at all times. We’re strong advocates of the GDPR and believe that the transparency it delivers around the management and use of personal data is great for our customers, partners and our staff.

We’ll never sell any of the personal data you give us and we’ll only collect your data where it’s needed. We’ll only access your data on a need-to-know basis and only store it for as long as we really need it.

For more info on our approach to data privacy, please read our Privacy Policy.

Our security controls

Our dedicated Information Security team oversee our business operations. They appropriately and consistently apply data privacy and security control procedures at all times.

We security-screen all staff (including temporary workers and contractors) in line with UK government BPSS standards. We apply enhanced screening for staff operating in roles where they may need access to sensitive data.

All staff at Trainline undergo regular security and privacy training. We make sure every member of our team understands and embraces our controls and responsibilities at all times. In addition, we give some teams additional security or privacy training, to enhance their skills and understanding (e.g. annual secure code development training).

Our Supplier Security team are responsible for assessing, managing and monitoring risks in our supply chain. All suppliers are subject to detailed compliance screening, and risk-based security and data-privacy obligations are included within our supplier contracts.

  • We protect our apps and websites against increasingly sophisticated attacks by using Advanced Web Application Firewall, Distributed Denial of Service (DDoS) protection, and bot-management solutions.
  • Our 24/7 Security Operations Centre (SOC) continually monitor our service to identify potential security issues, or any trace of unauthorised activity.
  • We protect our systems with anti-virus and anti-malware solutions, which identify and block potential malicious attacks.
  • We rely on intrusion detection/prevention systems, supported by an array of alerting solutions to help us to uncover and manage any unusual activity on our network.

All our production systems, services, websites and applications are subject to independent external penetration testing at least annually. Any findings go through a formal risk-based process to resolve them. We also do regular internal and external vulnerability scans of our systems, as part of our PCI-DSS Level 1 compliance programme.

We have a formal software security programme, based on the ‘Building Security in Maturity Model’ (BSIMM) framework - ensuring security is embedded in our software development lifecycle from initial idea right through to delivery.

Our developers follow formal secure coding practices and take specialist security training on an annual basis. All of our code is also subject to static and dynamic testing to identify potential weaknesses and fix them before it is rolled out to our production systems.

Keeping yourself safe online

Your Trainline password 

It’s important to have a secure password on your account, to help stop possible fraudsters from using your details.

  • Avoid using the same username and password for other online accounts
  • Use a password manager application, if possible (e.g. Keychain)
  • Don’t share your password with anyone
  • Use pass phrases or sentences with mixes of uppercase, lowercase, numbers and symbols
  • Avoid using simple passwords like your name, the word ‘password’, your date of birth or pet’s name

 

Reporting suspected security issues

We don’t currently offer payment for reporting vulnerabilities.

If you believe you’ve identified a security vulnerability in one of our websites or apps, we thank you for reporting it as quickly as possible. We’ll work with security researchers to investigate and fix any valid reports.

Please send reports to security-external@thetrainline.com