WORLDLINE_REGISTRATION_DOCUMENT_2017

Risk Factors [GRI 102-15] and [GRI 102-11] Regulatory and legal risks

Compliance with these evolving standards, and the corresponding costs could have a material adverse effect on the Group’s financial condition and results of operations. In particular, the Group could be subject audits by the Belgian regulatory authority, the Banque Nationale de Belgique or the Dutch regulatory authority (the DNB – De Nederlandse Bank) in respect of the effectiveness of its internal controls and audit systems and risk management. In the event that such audit reveals that the Group is not in compliance with the relevant regulatory requirements, the Group’s efforts to remedy such instances of non-compliance could have a material adverse effect on the Group’s financial condition and results of operations. Changes to PCI standards could require significant costs to ensure compliance, which could have an adverse effect on the Group’s business. The security standards established by the PCI-SSC (Payment Card Industry – Security Standard Council) are designed to enhance Card payment data security by promoting the broadest possible dissemination and implementation of specific standards relating to the various components of card payment transactions. The main standard is the PCI-PTS standard on PIN entry (Payment Card Industry – PIN Transaction Security). The aim is to guarantee that the cardholder’s PIN is always processed in a fully secure fashion by the PIN entry device and ensure the highest level of payment transaction security. Other PCI-SSC standards include the PCI-DSS (designed to enhance payment account data security) and the PCI-UPT (relating to security requirements for unattended payment Terminals). Such standards, which can be adopted by various payment schemes, entail specific technical requirements and a certification process. Updates to these standards involving changes to existing requirements are managed by the founding members of the PCI-SSC – Visa, MasterCard, JCB, American Express and Discover – in relation with stakeholders from across the electronic payment industry (e.g. hardware industry stakeholders (including the Group), regulators, merchants, banking associations, banks, transaction processors). This separate organization offers manufacturers the opportunity to take part in shaping the standards and the rules for applying them. Changes to these standards entail changes to the Group’s hardware or products or embedded software. This could therefore entail substantial capital expenditure. The Group takes all the necessary financial and engineering steps to bring its new payment Terminals into compliance with the applicable PCI standard, which imposed stiffer requirements. Although the certification process is extremely robust, there is a risk that once in use, specific products might reveal defects that could subsequently lead the PCI to challenge their certification. In the event of a withdrawal of the certification, such a challenge could force the Group to offer different certified Terminals to its customers. This situation may induce customers to switch to another solution, which would result in decreased revenue and financial loss.

As a provider of payment solutions, particularly centralized payment solutions deployed in large-scale retail, the Group must also comply with the PCI-SSC standard entitled “PCI-DSS (Payment Card Industry – Data Security Standard)”. The aim of the PCI-DSS is to ensure that stored cardholder data and sensitive transaction data are always processed in a fully secure manner by systems and data bases. The new standard is compulsory for all systems that handle, store or route such data, whether the payment is made by chip card or not. Like PCI-PTS, maintaining compliance with this standard could require the Group to make changes in the architecture of data processing systems, networks and servers entailing substantial investment. The Group maintains an on-going relationship with the PCI-SSC to ensure that the Group can address all aspects of current and forthcoming standards under the best possible conditions, including being able to anticipate trends and prepare for future investments and remedial expenditures. Despite this close relationship, the Group might not be able to avoid fraud or tampering with its certified payment Terminals and solutions. Such occurrences could damage the Group’s reputation and results of operations. Changes in credit card association or other network rules or standards could adversely affect the Group’s business. A significant source of the Group’s revenue comes from processing transactions through payment schemes, including, in particular, Visa, MasterCard, Bancontact (in Belgium), Girocard (in Germany) and Groupement des Cartes Bancaires CB (in France). In order to provide its transaction processing services, the Group must be registered with, or certified by, such card schemes as members or service providers for member institutions. As such, the Group and many of its customers are subject to card association and network rules that could subject them to a variety of fines or penalties that may be levied by the card associations or networks for certain acts or omissions by the Group, acquirer customers, processing customers and merchants. Payment schemes such as Visa, MasterCard, Bancontact, Girocard and Groupement des Cartes Bancaires CB, some of which are the Group’s competitors, set the compliance standards and periodically update and modify them. Changes in the standards may increase the Group’s operating costs that it may not be able to pass on to its clients or other scheme participants. Additionally, changes to payment scheme rules could have a material adverse effect on the Group’s cash flows and liquidity if the payment schemes impose delays in their processing of payments that are longer than the amount of time the Group takes to process payments on behalf its merchant clients. On occasion, the Group has received notices of non-compliance and fines, which have typically related to excessive chargebacks by a merchant or data security failures on the part of a merchant. If the Group is unable to recover fines from or pass through costs to its merchants or other associated participants, the Group’s results of operations and financial condition could be materially adversely affected. The termination of the Group’s registration, or any changes in the payment schemes rules that would impair the Group’s registration, could require the Group to stop providing payment schemes services to the Visa, MasterCard or other payment schemes, which would have a material adverse effect on the Group’s business, financial condition and results of operations.

F

277

Worldline 2017 Registration Document