Worldline - 2019 Universal Registration Document

EXTRA-FINANCIAL STATEMENT OF PERFORMANCE Building customer trust with reliable, secured, innovative and sustainable solutions

Maintain a full coverage of ISO 27001 Security ● certification across Worldline under the Worldline Global ISMS. Worldline has been engaged in an ISO 27001 multi-site certification (MSC) program with Atos group until end 2019. A Worldline standalone MSC program is being defined to cover ISO standards 9001, 14001, 27001. This multisite approach provides assurance to Worldline customers that the Company produces consistent service delivery worldwide. The ISO/IEC 27000 helps the Company manage the security of its assets such as financial information, intellectual property, its employee details or information entrusted to it by third parties. ISO/IEC 27001 is the best-recognized standard relating to requirements for an Information Security Management System (ISMS). The current scope for MSC ISO/IEC 27001:2013 covers 35 of 61 Worldline Group's eligible sites. Consolidate and extend the services related to Security ● Operation Center (SOC) in order to centralize and homogenize the threats detection and analysis services provided across Worldline entities. This improved set of security services, provided by Atos as MSSP (Managed Security Services Provider), includes: Security Incident management service handled by ● security professionals (SIEM/SOC/CSIRT) to analyze potential incidents and determine their severity, priority and what activities to undertake to mitigate the threat, The Threat Intelligence Service (TI) to provide a wide ● view on digital threats, including exploitation of vulnerabilities in computer systems, organized hacking, brand abuse, and reputational or computer fraud, The Endpoint Detection and Response (EDR) solution. ● Continue to keep Incident resolution at 100% consistent ● with security policy. Incidents are reported and root causes are well understood to avoid re-occurrence. This reporting also provides valuable input for regular Security Risk Assessments. This practice is even more valuable in the international context as Worldline provides its services to customers worldwide. Weekly communication between the Worldline Chief Security Officer and all regional Security Officers ensures close monitoring of recorded Security Incidents and follow up on agreed upon improvement actions. In 2019, 99.64% of incident

responses were fully compliant with Worldline security policy, against 98.74% in 2018 and 97% in 2016. Train 100% of its employees yearly regarding PCI-DSS in ● order to strengthen and maintain data security awareness. In 2019, 91% of employees was trained. This objective relies on the fact that all Worldline staff is a key point of defense in security, which means it is vital that all staff, contractors and consultants through the Worldline organization take responsibility to adhere to Worldline security policies and related standards, procedures and guidelines. Worldline Information Security Policy, part of the ISMS, applies to all Worldline employees and describes the security processes and risk assessment approaches that need to be applied. In addition, as part of the annual e-learning mandatory for all employees, 96% of Worldline’s employees completed in 2019 the “Security & Safety Awareness” training in order to develop their awareness in this area. Specifically regarding the growing threat of phishing attacks (malware), Worldline organized awareness trainings and simulations in 2019 to provide employees with a more concrete view on cyber and physical threats that they can face. Achieve defined security Key Performance Indicators. ● Technical monitoring and reporting are in place to proactively act on security anomalies: weekly security watch analysis, monthly monitoring of firewall configurations, weekly vulnerability scans, yearly penetration tests, reviews of access rights, intrusion detection systems including DDoS mitigation systems, and monitoring and logging of system events. All of these measures are part of the Worldline Security Strategy. In addition to ensuring security in its business, Worldline has implemented measures and policies to protect its own intellectual property assets and confidential information, including, but not limited to, the use of confidential agreements, encryption and logical and physical protection of information where required. Furthermore, Worldline Legal & Compliance department advises on all commercial transactions to ensure that appropriate provisions are included in its contracts with customers and suppliers and that confidential matters are appropriately handled and in compliance with applicable laws.

D

109 Universal Registration Document 2019