Table of Contents Table of Contents
Previous Page  27 / 354 Next Page
Information
Show Menu
Previous Page 27 / 354 Next Page
Page Background

4

Risk Factors

Insurance and riskmanagement

27

Worldline

2016 Registration Document

Specific riskmanagement activities

4.5.2.3

Fraud riskmanagement

The Group as an issuer processor has, to its knowledge, taken all

required actions (e.g. PCI certification) to minimize the risk of

data breaches. In its role as commercial acquirer, the Group

must ensure compliance with payment security rules

established by the organizations that issue PCI certifications and

address money laundering risks. The Group’s Fraud Risk

Management department has implemented various policies and

procedures to address these risks.

based on a data analysis application.

The Group has developed a Fraud Detection & Reaction (FD&R)

application that allows the detection of fraud in near-real-time

The Group’s risk mitigation process has been enhanced with

additional features to further address the residual risks, such as

geo-blocking, real-time blocking, fall back de-activation and

back-up systems.

Anti-Money Laundering Policy

Worldline SA/NV has had an anti-money laundering (AML) policy

in place since 2011. This policy applies also to the companies

acquired by the Group in 2016, Paysquare and KB SmartPay. It

sets out the general principles of AML, the ‘Know Your

Customer’ (KYC) principle and the allocation of responsibility

between the Sales and Marketing and the Customer Services

Divisions.

The Group’s security riskmanagement

The Group has put in place within its Internal Control

department a specific function to manage security risk.

policies.

This function includes security awareness, security trusted

services (review of access to production systems, data and

functions, access to cardholder data by the banks and

cryptographic key management) and security architecture and

Security risk management measures relate in particular to the

following:

Physical measures: facility entry controls to limit and monitor

physical access, video cameras and access control

mechanisms, media back-up storage in secured locations,

control over the internal or external distribution of any kind

of media and storage and accessibility of media;

against unauthorized access from untrusted networks;

Network: firewall and router configuration standards and

procedures are designed and deployed for protection

System security: strict application of regularly reviewed and

clearly described hardening rules to avoid exploitation of

default passwords and system settings;

Protection of cardholder data: storage kept to a minimum

with data retention and disposal policies, strong

cryptography and security protocols, anti-virus software

deployed and regularly updated on all systems;

security vulnerabilities; secure coding guidelines in order to

prevent vulnerabilities to be introduced in the software

development processes. In addition, a review of source code

prior to release to production or customers is performed in

order to identify any potential coding vulnerability;

Secured systems and applications: latest vendor-supplied

security patches installed; identification and assessment of

Logical access: to ensure that critical data can only be

accessed by authorized personnel, systems and processes

are in place to limit access based on access requirements

and according to job responsibilities;

Logging and monitoring: logging mechanisms and the

ability to track user activities are critical in preventing,

detecting, or minimizing the impact of a data compromise.

Therefore, the presence of logs in all environments allows

for thorough tracking, alerting, and analysis when something

does go wrong;

Security systems and processes testing: regular security

tests are performed, including the detection of unauthorized

wireless access points, internal and external network

vulnerability scans, intrusion-detection systems and

file-integrity monitoring tools.

The annual performance of the Group’s operational risk

management process, supervised by the Operational Control

division, analyzes security-related threats and vulnerabilities in

order to avoid an unwanted increase in risk exposure.

A formal security awareness program is maintained to ensure

that all personnel are aware of the importance of cardholder

data security. On a yearly base, all employees of the Group have

to attend this program and to acknowledge that they have read

and understood the security policy and procedures of the Group.

Incident response plans are developed and deployed in order to

be prepared to respond immediately in the event of a system

breach.

I 22 23 24 25 26 27 28 29 30 31 32 33 IV