Worldline - 2019 Universal Registration Document

C

WORLDLINE Worldline: a regulated Group

Strong authentication under PSD2 C.4.1.3 The European Banking Authority (EBA) published on October 16, 2019 an Opinion on the deadline for the migration to Strong Customer Authentification under PSD2 for e-commerce (2-legs) card-based payment transactions. The Opinion sets the deadline to December 31, 2020 and prescribes the expected actions to be taken during the migration period. National Competent Authorities (NCAs) may decide to work with the various stakeholders of the payment ecosystem (for

example, PSPs, issuers, acquirers,...) including consumers and merchants, to agree on an action plan. The EBA's Opinion recommends to NCAs to take a consistent approach toward the SCA migration period by abiding by the deadline specified and requiring their respective PSPs to carry out the actions set out in this opinon. The Group has structured a dedicated program to manage this regulation impacting its processes and to support its customers (merchants and banks) impacting by the new rules. Besides the Group participates in working groups monitored by local regulators over Europe to finish on time the migration to the Strong Customer Authentication.

Regulation applicable outside of the European Economic Area C.4.2

The Group is not subject to any particular regulation concerning its activities outside of the European Economic Area, with the exception of: India where the Group conducts Commercial Acquiring and ● Issuing Processing activities for limited amounts, which are subject to local regulations; Vatican, where SIX Payment Services AG, a subsidiary of ● the Group located in Switzerland, is authorized by the Financial Information Authority of the Vatican City State to

provide acquiring and terminal services within the Vatican City State as an auxiliary entity pursuant to Regulation No. I on “Prudential supervision of entities carrying out financial activities on a professional basis”. Regarding the future situation in the United Kingdom, the Group has obtained the Temporary Permission Regime to ensure access to the British market post Brexit until local license can be obtained.

Compliance with technical standards C.4.3

The Worldline Group implements the processes defined by the international standard-setting bodies such as ISO 9001 which relates to requirements for quality, 27001 which relates to requirements for security and 14001 which relates to environmental requirements of technological infrastructures. The Worldline Group develops and implements infrastructure sector solutions or services in secure cloud mode which are specific for certain activities and certified by the corresponding national authorities (health data for example). The Group also implements controls corresponding to international security requirements such as EMV for payment cards security. As such, it participates actively in the EMV User Group (Europay MasterCard Visa User Group). As a provider of payment solutions, and in particular terminals, the Group supports all standards established by the Payment Card Industry – Security Standard Council (“PCI-SSC”). These security standards seek to improve payment card data security by adopting a broad range of specific standards that apply to the various components of payment card transactions. Among these is the Payment Card Industry – PIN Entry Device standard (“PCI-PTS,” formerly PCI-PED) which is one of the most important. The aim of this standard is to guarantee that cardholders’ confidential PINs are always processed by

payment acceptance devices in a manner that is fully-secured and to ensure the highest level of payment transaction security. PCI-SSC and PCI-DSS (Payment Card Industry – Data Security Standard) aim to secure the confidentiality of payment transaction data, whereas PCI-UPT precisely addresses the security specific to unattended payment modules. The development of these standards, which requires continual modifications to existing requirements, is managed by the PCI-SSC’s founding members: Visa, MasterCard, JCB, American Express and Discover in consultation with other electronic payment industry players (payment terminal manufacturers, regulatory bodies, retailers, banking associations, banks, processors, etc.). As such, the Worldline Group participates in the European working group on protocol standardization. By way of example, the Group has obtained the PCI-DSS (Payment Card Industry – Data Security Standard) certification for its secure online payment platform and its Pay-lib service (cloud-based electronic wallet). This standard aims to ensure that the cardholder’s confidential data as well as any sensitive transaction data are always securely processed at the systems and databases level.

64

Universal Registration Document 2019