Sips information systems security
WL Sips Is a secure multi-channel e-commerce payment solution that complies with PCI DSS. It allows you to accept and manage payment transactions by taking into account the business rules related to your activity (payment on delivery, deferred payment, recurring payment, payment in instalments , etc.).
Our solution is completely secure and easy to implement. It is based on a set of components, technologies, and operating procedures that, in compliance with the latest standards and regulations related to electronic payment (GDPR, PCI DSS, ISO standards), make it your solution of complete confidence in the processing of cardholder data.
Availability of services
The WL Sips solution is a bi-site implementation to provide a disaster recovery plan across all layers, systems, and applications.
Each WL Sips technical component on each site and the file transfer platform are redundant and configured for load balancing.
If a unit equipment is down, the load distribution is automatically adapted by eliminating the faulty equipment from the flow.
The disaster recovery plan will be activated to deal with extreme faulty situations: fire, water damage, major accident, seismic or weather phenomenon, flood, air conditioning failure, loss of power, loss of telecommunications equipment, hardware failure (DRP), jeopardisation of staff availability, etc.
Business continuity Plan (BCP) approach
To ensure the resuming or continuity of critical business, Worldline has implemented a Business Continuity Plan (BCP).
This continuity plan is not limited to the continuity of services/applications, it also takes into account the retreat of users, the health risk (epidemic, pandemic), the coordination steps for crisis management (labour contrainsts, crisis centre, etc.), crisis communication, business-related workaround measures, cross-functional positions (HR, logistics).
Business continuity plan tests are conducted every year and are intended to test that all WL Sips service URLs are able to accommodate all flows on a single site in the event of a major incident.
The WL Sips solution has been PCI DSS certified since 2006 and, thank to this security standard, ensures data protection for card holders.
The solution meets your needs with a variety of secure interfaces that suit your business.
You will need to show your PCI DSS certificate of conformity to your acquiring bank as soon as possible.
This certificate of conformity is declarative and you will be required to complete a Self-Assessment Questionnaire (SAQ) that will allow you to know whether you are compliant or not with the PCI DSS requirements.
So your approach to SAQs is a two-step process:
FIRST STEP: DETERMINE THE LEVEL YOU BELONG TO
Whether you accept a few payments per card per year or millions, you will be classified into one of the following four levels defined by international schemes.
|Level||Type of activity||Actions required
|1||Any merchant processing more than 6 million Visa or
Mastercard transactions per year.
Any merchant who has been compromised.
|On-site security audit (or SAQ for Visa
Quarterly vulnerability scan (if e-commerce).
|2||Any merchant processing from 1 to 6 million Visa or Mastercard transactions per year.||Annual self-assessment
Quarterly vulnerability scan (if e-commerce).
|3||Any merchant processing from 20,000 to 1 million Visa or Mastercard transactions per year.|
|4||Any merchant processing less than 20,000 Visa or Mastercard
e-commerce transactions per year.
All other merchants processing up to 1 million Visa or Mastercard transactions per year.
|Annual self-assessment questionnaire.
Quarterly vulnerability scan is recommended (if e-commerce) (depends on whether data is captured, stored, or transmitted by the merchant infrastructure or by a service provider).
If in doubt, take the number of transactions per card brand, contact your acquiring bank and ask for confirmation of your level. Acquiring banks have the ultimate decision-making power over the levels of their merchants, so you need to check your assumptions with your bank.
STEP TWO: DETERMINE WHAT YOU NEED TO SUBMIT FOR VALIDATION.
Once you have identified the level you belong to, you will be able to determine what you need to provide to your acquiring bank.
If you are Level 2 to 4, you must complete a self-assessment questionnaire that is appropriate for your activity. Self-assessment questionnaires are documents that contain a series of questions that you must answer.
There are three types of SAQ covering the WL Sips offer: A, A-EP AND D.
|Type of SAQ||Description||Number of
|A||Card not present: all payment processing features are
outsourced, no electronic cardholder data storage.
Merchants with no card (e-commerce or mail/phone orders) and that have completely outsourced all cardholder data features to third-party service providers that comply with PCI DSS, without storage, electronic processing or transmission of cardholder data to the merchant's systems or premises.
|A-EP||E-commerce redirected to a third party, PCI compliant
service provider for payment processing, no electronic cardholder
E-commerce merchants that outsource all payment processing to PCI DSS-approved third parties and who have one or more websites that do not directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing or transmission of cardholder data on the merchant's systems or premises.
|D-Merchant||All other merchants or those who electronically store cardholder data.||331|
Securing the PAN
The WL Sips solution secures card data through a tokenisation process.
The tokeniser principle is to associate a single token for a given card number: this assigned token is non-reversible and does not make it possible to find the card number.
The token is a number shared by you and WL Sips and replaces the credit card number (PAN) securely.
Token usage is a simple method that contributes to the PCI DSS compliance.
Security of customer exchanges
Messages exchanged between you and WL Sips are signed by encryption keys.
WL Sips security keys ensure:
- your authentication
- the authorisation request from the cardholder's bank
- data privacy, as data is encrypted over the Internet
- the integrity of data exchanged
Depending on the type of connector used, security is either provided by a secret key (for HTTPS connectors) or by X509 certificates (used to secure web-service type connectors).
WL Sips certificate-based encryption is used to secure data exchanges through WL Sips web-services.
This certificate includes a public key and a private key:
- Messages are encrypted with the public key and can be decrypted using the private key only.
- Messages are signed with the private key, the public key is used to identify the sender.
Using an ID and a password provides access to the WL Sips interfaces with the associated rights. The user can log out at any time. To ensure the security of users, the implemented security policy requires the following:
- enter a new password the first time you log in
- frequent password renewal (valid for three months)
- the password must have a minimum length of 10 characters and must
- at least one alphabetic character
- at least one digit
- at least one special character
- the password must be different from the last four passwords used
All of these contribute to securing the data.
Using 3-D Secure
Implemented by Visa and Mastercard under the respective trade names Verified by Visa and MasterCard SecureCode, 3-D Secure allows you to limit the risks of internet fraud, related to misused identity attempts.
If you have subscribed to the 3-D Secure service, this subscription offers security benefits for both the internet user and yourself: you can be sure your customer is the holder.
For more information on this service, please refer to our 3-D Secure guide .
Fraud risk management
Worldline has a fraud risk management offer based on:
- self-management of fraud control criteria and, therefore, of transaction blocking ( Go-No-Go solution) according to your criteria and business requirements
- transaction reliability assessment by computing a score associated with the transaction ( Business Score solution).
- the presence of an anti-carding system to discourage the huge generation of transactions using stolen or generated card numbers (carding).
Compartmentalisation of merchants
Mutualisation of the solution
Resources are pooled for all customers of the WL Sips offers: same databases, same application servers.
Mutualisation and compartmentalisation
Each merchant is associated with a commercial offer itself associated with a technical offer. Following the authentication step to an application, it is the application itself that ensures the compartmentalisation of merchants and their webshops.
Secure file exchanges
Securing exchanges of internal Worldline files and external customer files is ensured by our file transfer gateway set up in a mutualised bubble that is subject to all the management restrictions and procedures imposed by the PCI DSS standard.
Data exchanges by secure file transfer or secure web services implement:
- an authentication by identification (user/password) on the Secure File Transfer Protocol (SFTP) server
- a SSL/TLS (TLS 1.2) encrypted protection of streams exchanged for FTPS and PeSIT protocols
- a SSH (two-key) encrypted protection of streams exchanged for SFTP.
Securing HTTP streams
The HyperText Transfer Protocol (HTTP) allows you to connect to a web server and transfer data over the web. But this protocol is not secure, which means that an evil-minded third party could intercept and read such data.
Its secure variant, the Secure HyperText Transfer Protocol (HTTPS) adds a Secure Socket Layer (SSL) / Transfer Layer Security (TLS) protocol to HTTP. Not only does this additional protocol ensure data integrity and encryption (which makes it unreadable by a third party) during transmission, it also allows the holder of an SSL/TLS certificate used on a website to be authenticated, thanks to a "padlock" icon displayed next to the URL in the user's browser. This authentication is done through the use of a X509 digital certificate issued by a Certificate Authority (CA).
WL Sips data flows exchanged via the web are secured by using TLS version 1.2.
The TLS protocol consists of:
- A "negotiation" between the customer and the server ("handshaking"), during which cryptographic algorithms (also referred to as the "cipher suite") are negotiated based on the customer's and server capabilities, with the creation of a session key at the end of this phase.
- a session during which the session key is used to securely exchange data.
The General Data Protection Regulation (GDPR) is a regulation put in place by the European Union to oversee the collection and processing of personal data in Europe.
Its purposes are to strengthen the rights of individuals, to empower the various stakeholders with respect to data processing and to give credence to the regulations in place. This regulation is a continuation of the CNIL (Commission Nationale de l'Informatique et des Libertés), a French administrative body created in 1978 to ensure respect for privacy during the computer processing of personal data.
On the other hand, the GDPR terminates the previous reporting obligations to the said CNIL, since the latter may now conduct checks at any time.
To ensure and prove its compliance with privacy, Worldline has followed and implemented the 6 CNIL advisory steps:
- appoint a data protection officer
- map data processing
- define corrective actions
- analyse/manage risks
- set up internal procedures
- document compliance
As part of the WL Sips offer, Worldline has a subcontractor role (within the meaning of the GDPR, otherwise called "data processor"), on behalf of its customers, who are responsible for processing (within the meaning of the GDPR, otherwise called "data controller").
The challenges are:
- To combat cyber-malicious acts in all their forms, including e-mail diversion, the theft of browser cookies, the spread of malicious files, the theft of bank details, ransomwares.
- To ensure that this data, in the event of a theft, is unusable and therefore incomplete or encrypted.
It is therefore a matter of protecting the people concerned by an appropriate processing of their personal data and of making responsible those involved in such a processing.
Personal data that you may be required to collect and/or process is data that identifies an individual in a direct or indirect way:
- examples of direct data -> last name, first name
- examples of indirect data -> login ID, IP address, phone umber, e-mail.
Some of this data is said to be "sensitive": IBAN, social security number, credit card number for example.
As a contractor, Worldline has committed to:
- processing personal data only for the purpose of proper service execution
- not transfering your data outside the EU or outside countries recognised by the European Commission
- informing you of any use of subcontractors who may process your personal data
- implementing security standards to provide a high level of security to our services
- notifying you as soon as possible in the event of a data breach
- helping you meet your regulatory obligations by providing you with adequate documentation about our services.
PCI DSS is an international security standard whose objectives are to ensure the confidentiality and integrity of cardholders’ data, thereby securing card and transaction data protection. Merchants and payment providers are required to comply with this standard, to varying degrees depending on the importance of their business.
Worldline is PCI DSS certified and implements, among other things, the following security actions:
- information system security policy
- premises monitored and protected by access control
- secure servers and backed up data
- regularly audited information system
- highly secure hosting centres
Worldline is responsible for the security of cardholers' data, but the company is not responsible for the PCI DSS compliance of its clients.
Please have a discussion about this with your acquiring institution.
In order to comply with PCI DSS, you are asked to fill in a more or less extensive questionnaire depending on the type of payment solution implemented. This questionnaire is to be returned to your acquiring bank once a year (see the ' SAQ ' section).
Other Worldline certifications
ISO 9001 is an international quality management standard that can be used by all organisations.
This standard specifies the requirements for implementing a quality management system, requirements to be used internally or for certification or contractual purposes. This standard focuses on the effectiveness of the quality management system in meeting customers' requirements.
The 9001 certification is carried out with an external Ernst & Young auditor.
ISO 14001 is an international standard that specifies requirements for environmental management systems. It is aimed at organisations that want to improve their performance and achieve their environmental and sustainable development goals, in other words, to control and manage their impact on the environment systematically.
The 14001 certification is carried out with an external Ernst & Young auditor.
ISO 27001 is the internationally recognised standard for information security management in organisations. Security audits are typically structured around this standard.
The standard describes the requirements for the implementation of an Information Security Management System (ISMS).
The ISMS identifies security measures, within a defined scope, so as to guarantee the protection of the organisation's assets.
The goal is to protect functions and information from loss, theft or alteration, and computer systems from any intrusion and disaster.
The 27001 certification is carried out with an external Ernst & Young auditor.