PART 2 – SECURITY MEASURES
SECTION 1: ACCESS TO EXPEDIA PERSONAL DATA, EXPEDIA CRITICAL INFORMATION, NETWORKS, OR FACILITIES
SCOPE OF SECTION 1: If Company has access to Expedia Personal Data; Expedia Critical information; Expedia networks (including without limitation, if Expedia is providing a data feed or other information to Company via the Internet or vice-versa); or Expedia facilities (e.g., Company Personnel will be performing services at an Expedia facility), Company will, at a minimum, comply with the provisions in Section 1:
1.1 INFORMATION SECURITY PROGRAM
1.1.1 INFORMATION SECURITY RISK MANAGEMENT PROCESS
Company must have an established process that periodically assesses information security risk within the organization that has access to Expedia Information.
1.1.2 INFORMATION SECURITY POLICY
Company must have a documented information security policy, approved by appropriate management or governance committee and reviewed periodically, which defines responsibilities for protecting information assets. Policies shall be based upon industry best practices, addressing areas such as asset management, Personnel security, physical, environmental, equipment, and media security, communications and operations management, access controls, information systems development and maintenance, incident management, business continuity management, and compliance.
1.1.3 ORGANIZATION OF INFORMATION SECURITY
Company must document, adopt, and enforce compliance with Company information security requirements, policies, standards, and procedures. Company must provide Expedia a point-of-contact for escalation of all information security matters. If Company is contractually permitted to allow third-party access to Expedia Information, Company must define procedures that ensure that downstream third-party and outsourced service providers comply with this Agreement when working with Expedia Information on behalf of Company.
1.2 ASSET MANAGEMENT, CLASSIFICATION, AND HANDLING
1.2.1 ASSET MANAGEMENT AND CLASSIFICATION
Company must have a managed and up-to-date inventory of Company assets that have access to Expedia Information. Company must define and maintain an information classification process that specifies appropriate security and handling controls based upon defined classifications. Company must anonymize and/or pseudonymize Expedia Personal Data as required by applicable laws and regulations or by Expedia utilizing industry standard practices. If Company utilizes non-Expedia owned equipment to connect with Expedia networks, Expedia has the right to review and approve all such equipment in order to determine compliance with Expedia connectivity requirements. Assets that satisfy these requirements will be granted access to Expedia networks. Assets may require modifications by Company to meet Expedia’s security compliance requirements including, but not limited to, custom configurations and settings, O/S hardening, patching, security agents and mobile security code (such as anti-virus and authentication certificates).
1.2.2 HANDLING EXPEDIA INFORMATION
- All Expedia Information must be encrypted in transit.
- Expedia Highly Sensitive Information and Sensitive Data must be encrypted both in transit and at rest.
- All other Expedia Information must be encrypted or secured in a Protected Environment with limited access when at rest.
1.3 PERSONNEL AND HUMAN RESOURCES SECURITY
1.3.1 BACKGROUND AND SCREENING CHECK
To the extent allowed by local law and prior to employment, Company must conduct employee and contingent staff background screening commensurate with the level of access provided, including criminal, financial, and/or employment background screening. Background checks must be completed, and the results deemed satisfactory by Company, prior to the employee or contractor being assigned to perform services for Expedia where those services will involve having access to Expedia Information. Individuals whose background checks reveal convictions for violations including but not limited to computer crimes, fraud, theft, identity theft, or excessive financial defaults MUST not be permitted access to Expedia Information. Upon request and to the extent allowed by local law, Company will provide written confirmation that screening has been conducted and the results deemed satisfactory.
1.3.2 SECURITY AWARENESS AND EDUCATION
Anyone who has access to Expedia Information must complete information security awareness training, annually. The training must educate employees and contingent staff on all applicable policies, procedures, and standards and the responsibility to secure confidential information such as Expedia Information. Company shall be responsible for providing and verifying successful training of all Company employees and contingent staff. Expedia’s online information security awareness training is available to anyone with an account on the Expedia corporate network; successful completion of the Expedia training is a requirement for continued access to the network, unless evidence of equivalent training is provided. Company must require employees to acknowledge, in writing or electronically, that they have completed all required training, and have read, understand, and agree to abide by all applicable security policies and procedures. Upon request, Company must provide written confirmation that training has been completed.
1.4 PHYSICAL, ENVIRONMENTAL, EQUIPMENT, AND MEDIA SECURITY
1.4.1 Company must implement controls that restrict unauthorized physical access to areas containing equipment used to access Expedia Information. Company must monitor all areas containing equipment used to access Expedia Information for attempts at unauthorized access. All secure areas must be enclosed by a perimeter that will deter unauthorized Personnel from gaining access. Personnel working in secure areas must be easily identified as authorized to work in that area. Company must implement and maintain processes to verify that only authorized Personnel with an approved business need may be permitted to work in secure areas. Company must not allow visitors access to secure areas unescorted. Company must ensure proper disposal of all Expedia Information using appropriately secured containers for shredding or other approved means.
1.4.2 Company must only store Expedia Information in locations that will be protected from natural disasters, theft, unlawful and unauthorized physical access, problems with ventilation, heat or cooling, and power failures or outages. Company must implement controls to prevent or detect the removal of any equipment involved in accessing Expedia Information. For purposes of clarity, this provision relates only to permanent storage facilities. Portable media controls are listed below.
1.4.3 If Company is contractually permitted to take Expedia Information off-site in any format, soft or hard copy, Company must in all cases take steps to protect such Expedia Information from unauthorized disclosure. Expedia Information must not be transmitted to unauthorized external services/companies for transfer, storage, or backup. When not in use, Expedia Information must be secured or locked away.
1.4.4 When the use of Company-supplied removable or portable data storage media is authorized by Expedia to store or access Expedia Information, the media must be encrypted to industry-standard levels or similarly protected.
1.4.5 Company must configure a password-protected inactivity timeout of fifteen (15) minutes, maximum, on workstations or laptops used to store or access Expedia Information.
1.4.6 Company must have processes in place to return or completely destroy Expedia Information upon request, in any format in which it is stored, soft or hard copy, and must not allow Personnel to discard any media containing Expedia Information except by secure methods that completely destroy the data.
1.5 COMMUNICATIONS AND OPERATIONS MANAGEMENT
1.5.1 OPERATIONAL SYSTEM SECURITY
On all Company IT systems used to access, process, or store Expedia Information:
- Company must follow documented change management procedures. Company must ensure thorough testing of changes to IT systems to prevent negative security impacts.
- Company must establish repeatable controls to ensure secure configuration and system hardening, including changing default passwords and settings, and disabling of all unnecessary services/daemons, ports, and network traffic on all systems that connect to Expedia networks or access Expedia Information.
- Company must establish and maintain a patch management process for software (including open-source software and firmware) covering network devices, servers, and desktop/laptop computers, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. Company must deploy patches in a period of time that is commensurate with the criticality of the patch and sensitivity of Expedia Information accessed. Critical security patches must be installed within one month of their release.
1.5.2 MALWARE PROTECTION
Company must deploy, enable, and keep up to date malware protection that detects, removes, and protects against all known types of malicious software on all IT systems that access, process, or store Expedia Information. Company must ensure malware protection technology is configured to enable upon boot-up, set both automatic updates and periodic scans, and have logging enabled. Infected systems must be removed from the network until verified as virus-free.
1.5.3 NETWORK, OPERATING SYSTEM, AND APPLICATION CONTROL
All systems or networks connecting to Expedia networks and/or accessing Expedia Information must employ safeguard controls capable of monitoring and blocking unauthorized network traffic. Company must enable logging on network activity for audit, incident response, and forensic purposes. Where such controls are not available, systems or networks used to access Expedia Information must be physically or logically separate from other Company networks.
1.5.4 LOGGING OF SYSTEM USE
- Company must configure all Company systems used to access, process, or store Expedia Information to enable basic forensic accountability. In the case of an information security incident involving Company-supplied laptops, desktops, or removable or portable data storage media used to access, process, or store Expedia Information, Company must conduct a forensic analysis and provide the results to Expedia or Expedia’s representatives upon request except when the incident involves the actual loss or destruction of the equipment or media.
- Company servers used to access, process, or store Expedia Information must maintain sufficient audit logging to enable forensic analysis, including logging of security events, connectivity to services and sessions, and modification to user and configuration settings. Audit logs must be maintained for a minimum of three months. In the case of an information security incident involving Company servers used to access, process, or store Expedia Information, Company must conduct a forensic analysis and provide the results to Expedia or Expedia’s representatives upon request.
1.6 ACCESS CONTROL
1.6.1 EXPEDIA-MANAGED ENVIRONMENTS
Access to Expedia Information must be restricted to authorized users, only. When the data resides physically or logically within Expedia-managed environments, Company access will be subject to Expedia’s access management policies and procedures. Expedia must authorize all decisions for access to Expedia Information residing within Expedia-managed, where applicable, its landlords’ or service providers’ managed environments. Company may not extend access to Expedia Information residing within Expedia-managed environments to third parties without prior written consent. Expedia reserves the right to monitor all systems used to access Expedia-managed environments. If Expedia provides equipment such as laptops used to access Expedia Information, the equipment will be subject to Expedia’s configuration and access management policies and procedures. Company must immediately notify Expedia in writing if a Company employee or Company subcontractor with access to Expedia-managed systems terminates, no longer requires access to the Expedia account, or requires changes to the user account. Notification must include name and User ID of the accounts or systems the person has access to.
1.6.2 REMOTE ACCESS CONTROL
Remote network connectivity to Expedia-managed environments must always use Expedia-approved methods such as SSL VPN when connecting. Expedia’s Host Checker policy will not allow connection from equipment without the capability of meeting Expedia’s security requirements for remote management, encryption, and authentication. Host Checker will verify equipment configurations such as current system patch levels, anti-virus software signatures and scanning engines, and personal firewalls. If Company is contractually permitted to remotely access Expedia-managed environments with Company-supplied equipment, Expedia will provide Company with a list of current configuration requirements upon request. Company shall be responsible for maintaining Company-supplied equipment configurations.
1.6.3 OUTSIDE OF EXPEDIA-MANAGED ENVIRONMENTS
If Company is contractually permitted to access, process, or store Expedia Information outside of Expedia-managed environments, Company must have an access management process that includes account authorization and management, password management and authentication, and remote access controls. Company must not provide access to Expedia Information to any third party (including, without limitation, Company’s subsidiaries and affiliates, subcontractors, and any person or entity acting on behalf of Company) unless the access is necessary to carry out Company’s obligations under this Agreement; such third party is bound by the obligations that are at least of the same level as those set out in this Agreement, and, for personal data, such obligations must comply with the requirements of the applicable privacy laws including the GDPR. Company shall remain responsible for any breach of the obligations set forth in this Agreement to the same extent as if Company caused such breach.
1.6.4 COMPANY USER ACCESS MANAGEMENT
Expedia authorizes access to Expedia Information on a need-to-know basis. All user accounts used to access Expedia Information must be unique and clearly associated with an individual user. Company must ensure unique assignment of user IDs, tokens, or physical access badges provided to employee or contingent staff granted access to Expedia Information outside of Expedia-managed environments. Company must ensure all user/system/service/administrator accounts and passwords are never shared. Company is responsible for reviewing authorization privileges assigned to its employees and contingent staff on a monthly basis to ensure that access is appropriate for the user’s functioning role. Access authorization should follow “principles of least privilege.” Company must provide and ensure that IT administrators use separate and unique accounts for administration and non-administration responsibilities. Company must ensure that procedures exist for prompt modification or termination of access rights in response to organizational changes.
1.6.5 PASSWORD MANAGEMENT AND AUTHENTICATION CONTROLS ON COMPANY SYSTEMS
Company must ensure that systems with access to Expedia Information require complex passwords with reasonable expiration, reuse, and lock-out controls. Company must prohibit its users from sharing passwords. Company must encrypt authentication credentials during storage and transmission. Company must change passwords immediately for accounts suspected of compromise.
1.7 UNAUTHORIZED ACCESS TO EXPEDIA INFORMATION
Company shall not attempt to access, or allow access to, any Expedia Information which they are not authorized to access under this Agreement or associated Schedules/Statements of Work. If such access is attained, Company shall immediately terminate such access, report such incident to Expedia, describe in detail the accessed Expedia Information and return or destroy any copied or removed Expedia Information upon Expedia’s instruction.
1.8 INFORMATION SECURITY INCIDENT MANAGEMENT
1.8.1 Company must establish and maintain procedures that ensure appropriate response to security incidents. Management procedures should address monitoring, investigation, response, and notification. Company must securely save evidence such as security logs for forensic analysis. Incident response plans must include methods to protect evidence of activity from modification or tampering, and allow for the establishment of a proper chain of custody for evidence.
1.8.2 Company must notify Expedia without undue delay, and in no event later than twenty-four (24) hours after becoming aware of a verified Personal Data Breach ; within forty-eight (48) hours of a suspected Personal Data Breach ; and within seventy-two (72) hours of any suspected compromise of information security, system abuse, and/or violation of information security policy involving Expedia Information; and must, at Company’s cost and expense, assist and cooperate with Expedia concerning any disclosures to affected parties and/or data protection authorities, and other remedial measures as requested by Expedia or required under applicable law.
1.8.3 Security notifications should be reported to Expedia Group Security via the Relationship Manager and via email to ERSSOC@expedia.com.
1.9 COMPLIANCE
Company information security policies and practices must comply with all applicable laws and regulations and contractual obligations to Expedia. Where local laws appear to prevent compliance with Expedia Information Security requirements, Company is responsible for notifying Expedia Group Security to determine appropriate compensating controls.
1.10 RIGHT TO AUDIT
1.10.1 Expedia shall have the right to conduct, at Expedia’s cost, inspections, assessments and/or audits (e.g. questionnaires, phone interviews, and onsite reviews), upon ten (10) days advance notice to Company, at a maximum of one (1) time per year, to evaluate compliance with these Requirements. Company agrees to cooperate with Expedia or its assigned agents regarding such inspections, assessments and/or audits. Company, at its own cost, will promptly correct deficiencies in the Technical and Organizational Security Measures identified by Company or by Expedia.
1.10.2 In addition to Expedia’s annual compliance audit, in the event of a verified Personal Data Breach involving Expedia Personal Data, Company agrees, at its sole expense, to provide a mutually agreed upon independent third-party auditor, and any governmental authority acting pursuant to statutory powers, access for inspections, assessments and/or audits (e.g. via questionnaires, phone interviews, and onsite reviews), and with no less than ten (10) days advance notice to Company, including access to Company’s facilities, systems, records, procedures and business practices to the extent related to the Personal Data Breach and the contracted products and services. The third-party auditors shall execute a mutually agreed-upon nondisclosure agreement with Company prior to commencing an audit. Any such audit may take place during the term of the Agreement and for a period of two years thereafter, shall occur during normal business hours and shall not unreasonably interfere with Company’s normal business operations. Company shall cooperate with third-party auditor’s agents regarding such inspections, assessments and/or audits. Any such audit reports shall be shared with Expedia, subject to redaction of information reasonably considered highly sensitive and therefore confidential by Company.
1.11 DELETION OR RETURN
Unless Expedia requests return of Expedia Personal Data prior to termination of expiry of the Agreement (whereupon such personal data shall be promptly returned to Expedia in machine readable format), upon such expiry or termination, Company will immediately delete all copies of Expedia Personal Data, save that, in the event that Company is unable to destroy Expedia Personal Data (due to backup or legal reasons), Company shall (a) continue to extend the protections of these Requirements to such data until such time that such Expedia Personal Data can be destroyed; and (b) immediately terminate any further processing of that Expedia Personal Data without Expedia’s express prior written consent, except where and to the extent required by applicable law.
PART 2 SECTION 2
SECTION 2: CODE OR SYSTEMS DEVELOPMENT AND MAINTENANCE
SCOPE OF SECTION 2: If Company’s services to Expedia include code that Expedia consumes or hosts, or where Company is providing Expedia with development services Company will comply with the provisions in Section 2:
1.1 APPLICATION SECURITY
Company must not allow Expedia production data in any development, test, quality assurance (“QA”), or other non-production environment. If production-quality data is required for development or testing purposes, it must first be pseudonymized and/or anonymized to ensure the removal of all personal data elements, including name, SSN or equivalent, credit card numbers, etc. Company must ensure protection of Personal Data and Expedia Critical information that is stored in cache or cookies.
1.1.1 CRYPTOGRAPHIC CONTROLS
Where applicable, Company must use commercially available cryptographic algorithms and all deployed encryption solutions must follow best practices in key management. Encryption keys must be protected against disclosure and misuse and must be rotated on a regular basis as defined by the level of sensitivity of information. Retired keys must be destroyed.
1.1.2 SYSTEM SECURITY
Company must establish and maintain configuration standards for all network devices and hosts accessing, processing, or storing sensitive Expedia Information, addressing currently known security vulnerabilities and industry best security practices. Company must ensure that software (including open-source software and firmware) used in operational systems maintain current level of patching support by its supplier.
1.1.3 SECURE DEVELOPMENT AND SUPPORT
All software development done on behalf of Expedia must follow a documented software development process or life cycle (SDLC) with appropriate security checkpoints. Company must validate and test firmware, software, and application source code against vulnerabilities and weaknesses before deploying code to production. If Company develops software, it may be required to demonstrate the effectiveness of security controls prior to software acceptance. All software deployed to a production status in Expedia’s environment must adhere to and utilize Expedia’s change control process.
1.2 SECURITY AWARENESS AND EDUCATION
Company shall be responsible for providing and verifying successful completion of secure development training based upon industry best-practice standards for all Company developers working with the applicable code or systems. Expedia’s online secure developer training is available to all developers with an account on the Expedia corporate network; successful completion of the Expedia training is a requirement for applicable Company developers, unless evidence of equivalent training is provided. Upon request, Company must provide evidence and reports of training completion to Expedia.
PART 2 SECTION 3
SECTION 3: CARDHOLDER AND FINANCIAL/PAYMENT ACCOUNT DATA
SCOPE OF SECTION 3: If Company has access to or otherwise receives Expedia employee or customer financial/payment account numbers, including without limitation Cardholder Data, or provides Cardholder processing software to Expedia, Company will comply with the provisions in Section 4:
1.1 Company represents that it is presently in compliance, and will remain in compliance with, the current PCI DSS. Company shall provide Expedia with a copy of its PCI DSS Attestation of Compliance annually at the time of filing, and immediately notify Expedia of any change in its PCI DSS compliance status.
1.2 Company acknowledges that Cardholder Data is owned exclusively by Expedia, credit card issuers, the relevant Payment Card Brand, and entities licensed to process credit and debit card transactions on behalf of Expedia, and further acknowledges that such Cardholder Data may be used only on the instruction of Expedia and in accordance with this Agreement, applicable privacy and security laws, and the operating regulations of the Payment Card Brands.
1.3 Company agrees that, in the event of a Personal Data Breach involving Cardholder Data, Company shall afford full cooperation and access to Company’s premises, books, logs and records by a designee of the Payment Card Brands to the extent necessary to perform a thorough security review and to validate Company’s compliance with the PCI Standards.
1.4 If Company provides to Expedia software that processes any payments via a payment application, Company represents that software provided to Expedia has been assessed and complies with the PA-DSS, and agrees to provide Expedia with all documentation, including the PA-DSS Implementation Guide, necessary for Expedia to deploy the software in a manner consistent with PCI DSS. Company agrees to re-assess software following any changes determined to impact payment application security in accordance with the PA-DSS and provide updated documentation as necessary.