Worldline - Registration Document 2016

Risk Factors Insurance and riskmanagement

4.5.2.3

Specific riskmanagement activities

against unauthorized access from untrusted networks; Network: firewall and router configuration standards and ● procedures are designed and deployed for protection System security: strict application of regularly reviewed and ● clearly described hardening rules to avoid exploitation of default passwords and system settings; Protection of cardholder data: storage kept to a minimum ● with data retention and disposal policies, strong cryptography and security protocols, anti-virus software deployed and regularly updated on all systems; Secured systems and applications: latest vendor-supplied ● security patches installed; identification and assessment of security vulnerabilities; secure coding guidelines in order to prevent vulnerabilities to be introduced in the software development processes. In addition, a review of source code prior to release to production or customers is performed in order to identify any potential coding vulnerability; accessed by authorized personnel, systems and processes are in place to limit access based on access requirements and according to job responsibilities; Logging and monitoring: logging mechanisms and the ● ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. Therefore, the presence of logs in all environments allows for thorough tracking, alerting, and analysis when something does go wrong; Security systems and processes testing: regular security ● tests are performed, including the detection of unauthorized wireless access points, internal and external network vulnerability scans, intrusion-detection systems and file-integrity monitoring tools. The annual performance of the Group’s operational risk management process, supervised by the Operational Control division, analyzes security-related threats and vulnerabilities in order to avoid an unwanted increase in risk exposure. A formal security awareness program is maintained to ensure that all personnel are aware of the importance of cardholder data security. On a yearly base, all employees of the Group have to attend this program and to acknowledge that they have read and understood the security policy and procedures of the Group. Incident response plans are developed and deployed in order to be prepared to respond immediately in the event of a system breach. Logical access: to ensure that critical data can only be ●

Fraud riskmanagement The Group as an issuer processor has, to its knowledge, taken all required actions (e.g. PCI certification) to minimize the risk of data breaches. In its role as commercial acquirer, the Group must ensure compliance with payment security rules established by the organizations that issue PCI certifications and address money laundering risks. The Group’s Fraud Risk Management department has implemented various policies and procedures to address these risks. based on a data analysis application. The Group has developed a Fraud Detection & Reaction (FD&R) application that allows the detection of fraud in near-real-time The Group’s risk mitigation process has been enhanced with additional features to further address the residual risks, such as geo-blocking, real-time blocking, fall back de-activation and back-up systems. Anti-Money Laundering Policy Worldline SA/NV has had an anti-money laundering (AML) policy in place since 2011. This policy applies also to the companies acquired by the Group in 2016, Paysquare and KB SmartPay. It sets out the general principles of AML, the ‘Know Your Customer’ (KYC) principle and the allocation of responsibility between the Sales and Marketing and the Customer Services Divisions. The Group’s security riskmanagement The Group has put in place within its Internal Control department a specific function to manage security risk. policies. This function includes security awareness, security trusted services (review of access to production systems, data and functions, access to cardholder data by the banks and cryptographic key management) and security architecture and Security risk management measures relate in particular to the following: Physical measures: facility entry controls to limit and monitor ● physical access, video cameras and access control mechanisms, media back-up storage in secured locations, control over the internal or external distribution of any kind of media and storage and accessibility of media;

4

27

Worldline 2016 Registration Document