Worldline - 2020 Universal Registration Document

D

EXTRA-FINANCIAL STATEMENT OF PERFORMANCE Building customer trust with reliable, secured, innovative and sustainable solutions

The ISO/IEC 27001 Standard helps the Company to manage the security of its assets such as financial information, intellectual property, its employee details or information entrusted to it by third parties. It is considered as one of the best-recognised standards related to requirements for an Information Security Management System (ISMS). The current scope for the ISO 27001 Multi-Site Certification covers 38 of 65 Worldline Group’s eligible sites. Worldline has established security processes in place gained through the years of PCI compliance and other certifications. WL maintains 11 certified PCI DSS scopes attested against PCI DSS version 3.2 1 . Worldline Information Security Management System is under a continuous improvement process ensuring that our security policies and procedures are in line with requirements coming from different regulatory authorities, such as: EBA final guidelines on ICT and security risk ● management EBA/GL/2019/04 , consisting of guidelines that set out expectations on how all financial institutions should manage internal and external Information and Communication Technology and security risks that they are exposed to. Cyber-Resilience Oversight expectations (CROE) ● 12/2018 , providing guidance on cyber-resilience for financial market infrastructures, which requires FMIs to immediately take the necessary steps to implement it, together with relevant stakeholders, to ensure that they enhance their levels of cyber-resilience; Train WL employees yearly regarding cyber-security ● threats in order to strengthen and maintain data security awareness. In 2020, 92% of WL employees were successfully trained in PCI-DSS specific content. This objective is also applicable to general security content in the “Security and safety awareness” training, as well as a very specific content on the “Secure Coding” training, that is focused on the development community. This objective relies on the fact that all Worldline staff is a key point of defence in security, which means it is vital that all internal employees, contractors and consultants through the Worldline organisation take responsibility to adhere to Worldline security policies and related standards, procedures and guidelines.

After the carve-out from Atos, our experts in the different areas have created a complete new set of courses, adapted to our stand-alone environment. These are including dynamic and attractive content that enable our employees to learn through integrated videos and interactive features. Conscious of the growing threat of phishing attacks, Worldline organises periodic phishing simulation programmes that expose our employees to fake phishing emails. This helps the organisation to be protected against this kind of attacks by educating our employees and helping them sharpen their anti-phishing skills; Continue to keep Incident resolution at 100% consistent ● with security policy. Incidents are reported and root causes are well understood to avoid re-occurrence. This reporting also provides valuable input for regular Security Risk Assessments. This practice is even more valuable in the international context as Worldline provides its services to customers worldwide. Weekly communication between the Worldline Chief Security Officer and all regional Security Officers ensures close monitoring of recorded Security Incidents and follow up on agreed upon improvement actions. In 2020, 100% of incident responses were fully compliant with Worldline security policy, against 99.64% in 2019 and 98.74% in 2018; Achieve defined security Key Performance Indicators. ● Technical monitoring and reporting are in place to proactively act on security anomalies: weekly security watch analysis, monthly monitoring of firewall configurations, weekly vulnerability scans, yearly penetration tests, reviews of access rights, intrusion detection systems including DDoS mitigation systems, and monitoring and logging of system events. All of these measures are part of the Worldline Security Strategy. In addition to ensuring security in its business, Worldline has implemented measures and policies to protect its own intellectual property assets and confidential information, including, but not limited to, the use of confidential agreements, encryption and logical and physical protection of information where required. Furthermore, Worldline Legal & Compliance department advises on all commercial transactions to ensure that appropriate provisions are included in its contracts with customers and suppliers and that confidential matters are appropriately handled and in compliance with applicable laws.

1 The very structured security organisation that has been strengthened recently following the Ingenico acquisition.

122

Universal Registration Document 2020

Made with FlippingBook Ebook Creator