WORLDLINE_REGISTRATION_DOCUMENT_2017

D

Corporate Social Responsibility report Building customer trust with fully available and secured platforms

D.2.1.4

Building customer trust with a robust

Below is a summary of Worldline commitments on security: a high level of ISO 27001 Security certification 1. throughout the organization. One of the main challenges to be addressed is the emerging cyber security related threats that potentially create new risk exposure. services related to Center of Security operations. 2. Continuously changing threats require constant and proactive monitoring to identify occurrences of compromise supported by appropriate course of action. to keep Incident resolution at 100% consistent with 3. security policy . Incidents are reported and root causes are well understood to avoid re-occurrence. 100% of its employees yearly regarding PCI in order to 4. strengthen and maintain awareness concerning data security. Security Key Performance Indicators and reporting In addition to these high-level indicators, technical monitoring and reporting are in place to proactively act on security anomalies (weekly security watch analysis, monthly monitoring of firewall configurations, weekly vulnerability scans, yearly penetration tests, reviews of access rights, intrusion detection systems including DDoS mitigation systems, and monitoring and logging of system events). All of these measures are part of the Worldline security framework. Data Protection Procedures As “privacy by design” drives data protection at Worldline, the second pillar includes procedures that are also described in the Atos group Data Protection Policy. These procedures ensure that privacy is embedded in all processing of personal data by Worldline on its behalf or on behalf of its customers. In 2017, Worldline received zero complaint concerning a breach of customer privacy [GRI 418-1]. Reported security incidents provide the basis for a thorough root cause analysis supporting the continuous improvement of risk mitigating measures. Thanks to proactive and regular Security Risk Assessments, the existing risks should be remediated to attain the agreed upon residual risk level. Nevertheless, the remediation in-place might not be as effective as intended or the outcome of the security risk assessment could be based on inaccurate assumptions. It might well be that new threats and evolving attack vectors appear that could suddenly have a negative impact on Worldline’s data security. The reporting and recording of Security Incidents accompanied by sound root cause analysis help maintain existing risk mitigation at the right level and provide valuable input for regular Security Risk Assessments. This practice is even more valuable in the international context as Worldline provides its services to customers worldwide.

and proven IT system

Security [GRI 418-1] D.2.1.4.1 Worldline’s comprehensive asset protection approach Worldline’s and Atos’ security organization has defined a set of 101 Global Security and Safety policies, standards and guidelines. These security policies are mandatory and binding for all Worldline entities and employees in order to guarantee the safety and the security of Worldline’s internal and external (i.e. “Customer related”) business processes. The policies apply to all staff, contractors and consultants throughout the Worldline organization. Worldline’s Security and Security policies cover the protection of all of Worldline’s assets, whether owned, used or held in custody by Worldline (information, intellectual property, sites, network, personnel, software and hardware). In order to meet the business specificities, since 2009 Worldline has developed a comprehensive set of information security policies and standards that may include some local variations for more clarity or specific local constraints. Those policies are aligned with the Worldline Group Safety and Security policies and are compliant with the ISO 27001:2013 standard. A Security Policies Governance plan is in place to define, support implementation and maintain those policies. In addition, Worldline has implemented measures and policies to protect its intellectual property assets and confidential information, including, but not limited to, the use of confidential agreements, encryption and logical and physical protection of information where required. Furthermore, Worldline Legal & Compliance department advises on all commercial transactions to ensure that appropriate provisions are included in its contracts with customers and suppliers and that confidential matters are appropriately handled and in compliance with applicable laws. Worldline is also engaged in an ISO 27001 multi-site certification program with Atos group to clearly state that Worldline is engaged in a continuous security improvement process. In 2017 Worldline successfully certified 22 of its 23 eligible sites. In 2017, 94% of Worldline’s employees took part in “Security & Safety” mandatory e-learning courses in order to develop their awareness. In addition, in 2017 Worldline’s Security department again organized a special awareness event at a global level to provide its employees with a more concrete view on cyber and physical threats that they can face, through concrete examples and practical prevention actions. Concerning the growing threat of phishing attacks (malware), Worldline arranged related awareness trainings during the year.

98

Worldline 2017 Registration Document