Trainline Security Overview

The protection and privacy of your data is our top priority, so we’ve developed this overview to explain the steps we take to keep you secure.

Trainline are PCI Level 1 compliant both as a merchant and as a service provider and ISO 22301 (Business Continuity Management Systems) and ISO 27001 (Information Security Management Systems) certified. These international standards around card holder data, business continuity and information systems, respectively, require us to continuously monitor, review and improve our business resilience and technology controls around security practices.

Certificate number: BCMS 763415 and IS 775108


We use a 'defence in depth' approach to security. That means your data is constantly protected by complex layers of physical, technical and administrative security controls.

When you visit our website or use our app, we use advanced encryption to protect the transmission and storage of data between your devices and our servers.


We protect our systems and your data within industry-leading, accredited data centres, operated by Amazon Web Services (AWS), which are located in the European Economic Area (EEA).

AWS’ data centres have round-the-clock physical security and strict controls for logical and physical access.

Thanks to strict access controls, system logging and monitoring, your data can’t be accessed or modified by anyone except you, or strictly authorised Trainline personnel and suppliers, who need access to provide you with the service (e.g. Customer Relations).


Our systems are mirrored across multiple sites (AWS availability zones), each of which have backup power supplies and networks. This means, in the event of natural disasters or system failures, our systems can remain fully functional.

We continually log and monitor users and systems to identify potential security issues, or any trace of unauthorised activity. Our operations and Incident Management team are on call around the clock. We provide a commitment to our customers that our services will achieve at least 99.9% operational uptime.

Data privacy by design

We’ve designed our services from the ground up, to protect your privacy at all times. We’re strong advocates of the GDPR and believe that the transparency it delivers around the management and use of personal data is great for our customers, partners and our staff.

We’ll never sell any of the personal data you give us and we’ll only collect your data where it’s needed. We’ll only access your data on a need-to-know basis and only store it for as long as we really need it.

For more info on our approach to data privacy, please read our Privacy Policy.

Our security controls

Keeping yourself safe online

Your Trainline password 

It’s important to have a secure password on your account, to help stop possible fraudsters from using your details.

  • Avoid using the same username and password for other online accounts
  • Use a password manager application, if possible (e.g. Keychain)
  • Don’t share your password with anyone
  • Use pass phrases or sentences with mixes of uppercase, lowercase, numbers and symbols
  • Avoid using simple passwords like your name, the word ‘password’, your date of birth or pet’s name



Be wary of suspicious emails trying to steal your personal data. Usually, these are pretending to be legitimate companies or people you know.

Simple steps spotting a phishing email:

  • Is the greeting generic and not personal to you
  • Do the logos look genuine
  • Is there a time-bound period rushing you to take action
  • Check for poor spelling or grammar
  • Are there any links?
  • Instead of clicking on them hover over to see what site you're being directed too

Protecting your devices


We love that you can make purchases on a mobile, tablet or laptop so make sure that your devices are kept secure from vulnerabilities. The easiest way is to ensure that all your apps and software are kept updated.

Simple steps to protecting your devices:

  • Check out Google Android and Apple iOS on how to keep any apps updated
  • Review the security information and privacy statements
  • Watch out for the pop-up windows

Social Media footprint


In our everyday lives, we all use social media leaving a ‘footprint’ so it’s vital you know how to protect yourself.

You should:

  • Regularly type your name into an internet browser and see where you’ve left your ‘footprint’. You may want to review these
  • Be aware of what personal data you’ve shared with your followers and friends

Don’t forget to check out the Privacy settings too.

Two-Factor Authentication


Two-factor authentication (2FA) is a simple and quick security feature that helps to protect your important accounts, like email, banking, or social media.

2FA requires you to provide a code sent by text or via an app on your device to check it's really you accessing the account.

If you haven’t set up 2FA now is a good time to set it up on your important accounts.

Protecting your card data


Simple steps will help protect your card data:

  • Always use genuine websites. Search for them using an internet browser
  • Look out for the padlock symbol
  • Don’t auto-fill or remember card information on shared devices
  • Always use a credit card to help protect your online purchases
  • Report any unauthorised transactions and lost or stolen cards immediately

Reporting suspected security issues

We don’t currently offer payment for reporting vulnerabilities.

If you believe you’ve identified a security vulnerability in one of our websites or apps, we thank you for reporting it as quickly as possible. We’ll work with security researchers to investigate and fix any valid reports.

Please send reports to