Worldline - 2020 Universal Registration Document

C

DESCRIPTION OF THE GROUP’S BUSINESS Worldline: a regulated Group

Strong authentication C.4.1.3 under PSD2

The Group has structured a dedicated program to manage this regulation impacting its processes and to support its customers (merchants and banks) impacting by the new rules. Besides the Group participates in working groups monitored by local regulators over Europe to finish on time the migration to the Strong Customer Authentication. The market has developed the standard 3DS.2.X to answer to the new requirement introduced by PSD2 on the SCA (Strong Customer Authentification). The market is deploying this standard respectively among issuers, acquirers and schemes.

The European Banking Authority (EBA) published on October 16, 2019 an Opinion on the deadline for the migration to Strong Customer Authentication under PSD2 for e-commerce (2-legs) card-based payment transactions. The Opinion sets the deadline to December 31, 2020 and prescribes the expected actions to be taken during the migration period.

Regulation applicable outside of the European Economic Area C.4.2

Due to new acquisitions and a more regulated payment landscape globally, Worldline is monitoring local payment legislation and requirements outside Europe closely. Some entities within Worldline Group are currently in the process of a license application in India and Singapore due to new regulations: The Reserve Bank of India (RBI), issued vide its Circular ● (DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020), regulations for Payment Aggregators in India; The Monetary Authority of Singapore (MAS) issued the ● Payment Services Act 2019 (No. 2 of 2019) (PS Act) came into force on January 28, 2020. All businesses that carry out one or more regulated payment activities under the PS Act will require a payment service provider license. Businesses providing payment services that were previously unregulated under the MCRBA and/or the PSOA The Worldline Group implements the processes defined by the international standard-setting bodies such as ISO 9001 which relates to requirements for quality, 27001 which relates to requirements for security and 14001 which relates to environmental requirements of technological infrastructures. The Worldline Group develops and implements infrastructure sector solutions or services in secure cloud mode which are specific for certain activities and certified by the corresponding national authorities (health data for example). The Group also implements controls corresponding to international security requirements such as EMV for payment cards security. As such, it participates actively in the EMV User Group (Europay MasterCard Visa User Group). As a provider of payment solutions, and in particular terminals, the Group supports all standards established by the Payment Card Industry – Security Standard Council (“PCI-SSC”). These security standards seek to improve payment card data security by adopting a broad range of specific standards that apply to the various components of payment card transactions. Compliance with technical standards C.4.3

will be allowed to request a temporaryexem ption from the Monetary Authority of Singapore (MAS). Following the UK’s exit from the EU on January 31, 2020, the UK entered the transition period agreed as part of the Withdrawal Agreement between the UK and EU. The transition period is due to end on December 31, 2020. During the transition period EU law will continue to apply to the UK under the terms set out in the Withdrawal Agreement Act. Passporting rights for EEA firms will continue for the duration of the transition period. Several regulated entities within the Group have applied for the Temporary Permissions Regime. The temporary permissions regime will allow EEA firms using a passport to operate for a limited period while they seek authorization from the PRA when the passporting regime falls away at the end of the transition period. Among these is the Payment Card Industry – PIN Entry Device standard (“PCI-PTS,” formerly PCI-PED) which is one of the most important. The aim of this standard is to guarantee that cardholders’ confidential PINs are always processed by payment acceptance devices in a manner that is fully-secured and to ensure the highest level of payment transaction security. PCI-SSC and PCI-DSS (Payment Card Industry – Data Security Standard) aim to secure the confidentiality of payment transaction data, whereas PCI-UPT precisely addresses the security specific to unattended payment modules. The development of these standards, which requires continual modifications to existing requirements, is managed by the PCI-SSC’s founding members: Visa, MasterCard, JCB, American Express and Discover in consultation with other electronic payment industry players (payment terminal manufacturers, regulatory bodies, retailers, banking associations, banks, processors, etc.). As such, the Worldline Group participates in the European working group on protocol standardization.

70

Universal Registration Document 2020

Made with FlippingBook Ebook Creator