Security & Safety Guide

Experience Oz complies with PCI-DSS v3.2.1 SAQ A-EP

• Passes internal and external application and network penetration testing performed by independent security firms.
• Scanned monthly by an Approved Scanning Vendor (ASV).
• PCI Attestation of Compliance (AOC) is available for download.

The following documents are available to the public. Applicability to your environment needs to be assessed / approved by your auditors.

Experience Oz 2019 PCI-DSS 3.2.1 Attestation Of Compliance

Experience Oz maintains a comprehensive privacy programme. To us, this means that although we are required by law or regulation to do certain things, we are continually evaluating whether we can and should do more.

• We do not sell the personal information of our customers to third parties.
• We have a full time security team focused on privacy and security issues. View our privacy policy.

Experience Oz is committed to designing, building, and maintaining secure systems. All applications are regularly scanned for common security vulnerabilities including the OWASP Top Ten.

• Regular training on Secure Coding Practices is provided. All engineers must attend training sessions.
• No credit card information is permitted to be stored on any mobile device.
• Use of encryption for both storage and transmission of sensitive information is regularly audited by the Experience Oz Security Team.
• All web and mobile applications are primarily developed, tested, deployed, and maintained by a full-time, in-house engineering team.

Experience Oz uses strong encryption methods and key management procedures to ensure your sensitive information is protected.

• All credit card information is encrypted with strong industry-standard cryptographic protocols such as AES and TLS while in transit through our systems.
• ExperienceOz's website and APIs are accessible via a 256-bit SSL certificate issued by Digicert.
• Credit card information is never stored after transaction authorisation.
• Access to encryption keys is held by the smallest number of Experience Oz employees possible.

ExperienceOz has taken appropriate measures to vet our employees.

• All employees are subject to reference, education, and other personnel checks. Certain employees are also subject to detailed background checks.
• ExperienceOz maintains an information security training programme that meets PCI-DSS standards.
• Knowledgeable full-time security personnel are on staff.
• Require written acknowledgement by employees of their roles and responsibilities with respect to protecting user data and privacy.

While we don't anticipate there ever being a breach of our systems, we know that no computer system is perfectly secure.

• ExperienceOz has 24x7 monitoring of its security systems and alerts.

If you discover a vulnerability with Experience Oz's information systems, report it to us first!

• Do not attempt to harm ExperienceOz, its users, or customer's data.
• Allow reasonable time for Experience Oz to resolve the issue before publishing findings publicly.
• Report details to: admin@experienceoz.com.au
• Include full details and steps to reproduce.

If you wish to encrypt your email, use Experience Oz Security's GPG Key:

-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF4lVFQBEADKJ3k2aAEX2VmceyK7/sJLuXdbYZEEVkAu28RwfNK4P264RF8y h4JjByKA/uQ/77N5ppWSANlAuBWB2uB6eJnED1ffbehMdRnT9+18/h9gjRNRofIW EZsCKOSYJOUxZRvzLFmHW2aIJ3ckxYrCw/KQUCSIBGJf4Hcc5cyu3QEy1siLJKI9 Nqis9T9IqiRKKafCxzx0XC4q17D1qmcTK/J9JrwQjdeDRqNRLOyOq8JpwOVoxio6 A1zHqOXDDiBnwnWkjMjAAoG3LDS4Ldigg0bfRGgNPOrlif3wWHe6+sPHDcxmsinu 8r0XUAwDJof7P3Fk9ybODgga6RGX3/E0epcZyd2QaZqiQRQpGmk8grD3zoZ1sAaI 4fdF3zKn4ix+t22rxBuxlHmxIBUrasZallL4yck1YrPWucCw2KXvKF7WIQjOCE8w WY9Tcewa1rjYz7s+qpIqGkPRRPQBahWWDmkHttAnblmFS0HdUT2LZFHfFtNKtaJ7 Mecod/B47bJUWBXyAz301VZxHwBEMIwGa8++x6aNw4dE0X+RK0g+8e3dZhf9h8iY IJLtC9nR0mrlrU8sUUywNNA7Cx+APF9rpvcQj/xVSP3JHQqP8AUFv28f8UJcxSuY jGywl/Q+iNjFk3XfdX//6aPWB66DBlQF+qfKK8sfOdsaScP8pzLrtsnPHwARAQAB tCNSb2xhbmQgPHJvbGFuZEBleHBlcmllbmNlb3ouY29tLmF1PokCVAQTAQgAPhYh BOLB6QF48E6aq8JmumjhQKudRJLpBQJeJVRUAhsDBQkHhh+ABQsJCAcCBhUKCQgL AgQWAgMBAh4BAheAAAoJEGjhQKudRJLpEy0P/0ix4QbyZJkBTcg41IxTZSPQ/8ly Wf8Ns+2KMSvlBb7X9Js/qAMLhJIdRUV+vbc6D4SzEoPA48DavtW92HHIqhM8tZZP OF39zKV7GBgYrIw4LTMR5Csj61HIGCZVqZsPT9vcg409uD47do+fK6U64l0vAMZ+ kHtHVaiGgxSm/BUZlZT9xL6xO+Se5qU3sknrI+75QQGPyiLIVE6WZcAfgI4c5LDN 6mVtMFZc2KtqMbYfevjG1AK+lTBOJ5F5cCHJggiPwQvreblSo1RXvvyw8I6GAyvf J1nmdGQoD74EDYxBIsr71jObxrvqdg26qsH0XDtYCYmYOKQ6L/D+LVC+61vsXgQu VG6j6T3OtBosPFekccSRGECOlML+KN4a2jDg0Vbcl4ohSzb4lgMbMNLw9D3p4S9U Z+j4+Fi9fUT38ix0qf+TF56bvyqF1WAffNspZixjcth7MTZU095FaNhGdYiAAmNx rjdCzRo1ZfMWa9Ek9fx5S/VrW/SaQedpHefKlS7qhp9f0DM4HTWxmUuF7K8A5rEO 7oSjkFn4yz5ZybPjhIyz3Zyd+YEhf3SPp8ka2Dq+cpMnC64Lg5l+XvQbmCtgypEC N7+UbT2lY+WpkwvkNSbCirVKiy3ImaBVq5Vl2a/4+oD6iIWd+3wbp1om2ZwFaNZk QLCEnggXu3me761LuQINBF4lVFQBEACrXPl+GnM++JRf1Fk0XR2sEVvpknQEhxCu 9zR3KlwlF5+lozvJDKf94I0TtFEzQBvuEl4G/3qnWYv+wzI8ZhUKs8OSdoN/uOyz gA8o2bodSjmWx7i7oCIsz4PK8ZLP2PsrSuXofKpHJJDhFuqCjWiea4pXGV5Ncxnv lSmal2qTHyjMI5zw8MoHCWIaoTaZIThcHGJ7O7U2f5odQP3RdbU3ExRJsuLnBM8a xDHH5laTmIHvDBPvvfxX+RLlgwAIBNMsJHDFdL8/ZWv+EOAwVtXUdH02eL12l/od j69ngIliadzQgws+rMguO9RuJBSI2ybffjI71F6pSv9sfyZB/hEXrYOpwpX0tvLw ldOuRZOOljG6wx0m3PBL/0vnj5yGT5tsD1GjuEZCIudsXmcG3LVM1gw+UYPCUZlm 303iKpNfM5XzOR1VFzCQ8+CzGpVRXzW3l6vwJDBqPJK4jFpEAqF6eI20mP5gV1zP nFGq+L/kyyFvLJof7DAuNNS5f25FbEdfu5vqGkin29UxQE4SiQOyyvy/3TfldK8T G3R74zIzcMWVKMcsjqYUXGEjHyBO+VbxnGcW9Nhuxa4ZqTCYLkW+Fw1CV4HaknQy 0kzXHmUlroMEPiglYnIwSN3Uvb5LbN2fNk6wLogNrbQhW6GFFXlcRaWbqT0OPo45 gAnBxwqlrQARAQABiQI8BBgBCAAmFiEE4sHpAXjwTpqrwma6aOFAq51EkukFAl4l VFQCGwwFCQeGH4AACgkQaOFAq51EkunYDw//css0WSiemTg5MEFtiZnJTlyiLfzI Rx4p1YR3ahsFTBRNTYPs6bdY9MuD0+T5TSp4ojy9So9s8eGaLbWOkUzvsMTvXnf8 176OLci44FCpJo9WY1phlNYI/aK+2W5xp3TZ+QXsLwjT6Qi9EThr5/Je8Puos/+E EG6JTitMIAHMIXJrwuzgPbzbbg8l6OfNuQ4rb1wu67WomRrV56xXVfp3xEWxojbu 6MG9W9jScKgbmanvANqK/tn90SGsyurecCcqcIDC8FSwD9cFLWQILosO0vuQC49M C85fHBI8wghdYzyG+HSMkJrTVZ51XRWx/p82aHHyRJ/72jSLCKmJrv1SRJ3Csq/a HEIX2mDuORALeTkDBs03wvGclJx9iTM3PEZo5mF7QYWYNXAQVpdA5O4SuMnSQbUj UOPjtY+9aqXAbq99NxQtlxtR8rzMtsIT42T/etFY7+QVnoT+ujHWmXwCaEARWMEA RtI88EmQrlWYBTKhzU0FbvK0hUYu4z/PdMipTo61JPYxJOu60QdOrT320cUQ0s94 Wn84DqwfyA7F9dM7hR4NYbqzHBWCPa13ZUFoVOZglta9YkdfulHqZrOcitH2cw9I AMc/BqdMCrrC/vPTEaFsUf3gKVmFmRRjY+rs65nCSlBxanL2kTjk23/wzXg7zG8T 7/l4sSWt/nYGXmc= =eTqc -----END PGP PUBLIC KEY BLOCK-----