Worldline - Registration Document 2016

Business

Regulation

Worldline

2016 Registration Document

Compliance with technical standards

6.9.4

applies to devices that require the entry of a PIN. The aim of this

Entry Device standard (“PCI-PTS,” formerly PCI-PED), which

always processed by payment acceptance devices in a manner

standard is to guarantee that cardholders’ confidential PINs are

transaction security. Other PCI-SSC standards have emerged,

that is fully-secured and to ensure the highest level of payment

Standard) aimed at preserving the confidentiality of payment

including PCI-DSS (Payment Card Industry – Data Security

unattended payment modules). The development of these

transaction data and PCI-UPT (security standard specific to

Payment services providers, and, in particular, terminal

standards, including, in particular, standards established by the

manufacturers must comply with a number of security

These security standards seek to improve payment card data

Payment Card Industry – Security Standard Council (“PCI-SSC”).

apply to the various components of payment card transactions.

security by adopting a broad range of specific standards that

The main such standard is the Payment Card Industry – PIN

requirements, is managed by the PCI-SSC’s founding members:

standards, which requires continual modifications to existing

consultation with other electronic payment industry players

Visa, MasterCard, JCB, American Express and Discover in

banking associations, banks, processors, etc.). This system thus

(payment terminal manufacturers, regulatory bodies, retailers,

standards and the rules established to implement them. The

allows companies to participate in the development of

standardization.

Group participates in the European working group on protocol

By way of example, the Group has obtained the PCI-DSS

for its secure online payment platform and its Pay-lib service

(Payment Card Industry – Data Security Standard) certification

that the cardholder’s confidential data as well as any sensitive

(cloud-based electronic wallet). This standard aims to ensure

and databases level.

transaction data are always securely processed at the systems

Lastly, the Group is subject to international security

environmental requirements for technological infrastructure.

card security, established by the Europay MasterCard Visa User

requirements such as the international standard for payment

Group

(“EMV User Group”), in which the Group participates.

such as ISO

9001, which relates to requirements for quality

The Group is also subject to international certification standards

management systems and ISO

14001 which relates to

Protection of personal data

6.9.5

In connection with its business activities, the Worldline Group

protection laws and regulations in Europe as well as in other

collects and processes information subject to personal data

data processing is carried out on behalf of both Worldline Group

regions in which the Worldline Group operates. Such personal

companies themselves and their customers.

Personal data processing within the

6.9.5.1

European Economic Area

Directive 95/46/CE of October

24, 1995 (the “Personal Data

regulation within the European Economic Area (the “EEA,” which

Directive”) is the point of reference for personal data protection

Liechtenstein). In France, the Personal Data Directive was

includes the European Union, Iceland, Norway and

January

6, 1978, which relates to information technology, filing

implemented through various amendments to law no.

78-17 of

been adopted through law no.

2004-801 of August 6, 2004.

system and civil liberties, with the main amendment having

data is included or is meant to be included in a filing system.

natural person who has been identified or is identifiable directly

“Personal data” is broadly defined as all information relating to a

nationality. The Personal Data Directive requires persons and

or indirectly, regardless of his or her country of residence or

incorporated in an EEA member state or have recourse to data

entities responsible for processing personal data that are either

number of measures prior to and at the time the relevant data is

processing functions in an EEA member state, to put in place a

collected, while it is stored and until it is erased. According to the

non-automated personal data processing when the relevant

The Personal Data Directive applies to automated or

with others, determines the purposes and means of the

Personal Data Directive, the person or entity that, alone or jointly

subcontractor acting on behalf of a third-party), is considered to

processing of personal data (as opposed to a simple

be a “data controller”.

With respect to each of its activities that involve personal data

analysis on a case by case basis in order to determine whether it

processing, each Worldline Group entity in Europe conducts an

is acting in a data controller or subcontractor capacity.

(for instance those entities that handle employees’ personal data

or anti-fraud measures), it is subject to the following obligations:

Where a Worldline Group entity functions as a data controller

to satisfy the criteria set forth in the Personal Data Directive

●

among others, that the person concerned has given his or

for making data processing legitimate, which include,

for the purposes of pursuing a legitimate interest or for the

her consent or the processing of personal data is necessary

a party;

performance of a contract to which the person concerned is

to ensure that the personal data is (i) processed fairly and

●

purposes, and proportionate for such processing and/or

lawfully, collected for specific, explicit and legitimate

kept up-to-date;

collecting purposes, and (ii) accurate and, where necessary,