Introduction
Worldline Sips Is a secure multi-channel e-commerce payment solution that complies with PCI DSS. It allows you to accept and manage payment transactions by taking into account the business rules related to your activity (payment on delivery, deferred payment, recurring payment, payment in instalments, etc.).
Our solution is completely secure and easy to implement. It is based on a set of components, technologies, and operating procedures that, in compliance with the latest standards and regulations related to electronic payment (GDPR, PCI DSS, ISO standards), make it your solution of complete confidence in the processing of cardholder data.
Securing data
The Worldline Sips solution has been PCI DSS certified since 2006 and, thank to this security standard, ensures data protection for card holders.
The solution meets your needs with a variety of secure interfaces that suit your business.
Securing the PAN
The Worldline Sips solution secures card data through a tokenisation process.
The tokeniser principle is to associate a single token for a given card number: this assigned token is non-reversible and does not make it possible to find the card number.
The token is a number shared by you and Worldline Sips and replaces the credit card number (PAN) securely.
Token usage is a simple method that contributes to the PCI DSS compliance.
Security of customer exchanges
Messages exchanged between you and Worldline Sips are signed by encryption keys.
Worldline Sips security keys ensure:
- your authentication
- the authorisation request from the cardholder's bank
- data privacy, as data is encrypted over the Internet
- the integrity of data exchanged
Depending on the type of connector used, security is either provided by a secret key (for HTTPS connectors) or by X509 certificates (used to secure web-service type connectors).
Secret key
To secure the online payment process, Worldline Sips shares a secret key with you, which allows Worldline Sips to authenticate you when you call Sips Paypage or Sips Office.
Having identified you, Worldline Sips redirects the buyer to the payment pages.
Certificate (X509)
Worldline Sips certificate-based encryption is used to secure data exchanges through Worldline Sips web-services.
This certificate includes a public key and a private key:
- Messages are encrypted with the public key and can be decrypted using the private key only.
- Messages are signed with the private key, the public key is used to identify the sender.
Interfaces access management
Password management
Using an ID and a password provides access to the Worldline Sips interfaces with the associated rights. The user can log out at any time. To ensure the security of users, the implemented security policy requires the following:
- enter a new password the first time you log in
- frequent password renewal (valid for three months)
- the password must have a minimum length of 10 characters and must
include:
- at least one alphabetic character
- at least one digit
- at least one special character
- the password must be different from the last four passwords used
All of these contribute to securing the data.
Compartmentalisation of merchants
Mutualisation of the solution
Resources are pooled for all customers of the Worldline Sips offers: same databases, same application servers.
Mutualisation and compartmentalisation
Each merchant is associated with a commercial offer itself associated with a technical offer. Following the authentication step to an application, it is the application itself that ensures the compartmentalisation of merchants and their webshops.
Security protocols
Secure file exchanges
Securing exchanges of internal Worldline files and external customer files is ensured by our file transfer gateway set up in a mutualised bubble that is subject to all the management restrictions and procedures imposed by the PCI DSS standard.
Data exchanges by secure file transfer or secure web services implement:
- an authentication by identification (user/password) on the Secure File Transfer Protocol (SFTP) server
- a SSL/TLS (TLS 1.2) encrypted protection of streams exchanged for FTPS and PeSIT protocols
- a SSH (two-key) encrypted protection of streams exchanged for SFTP.
Securing HTTP streams
The HyperText Transfer Protocol (HTTP) allows you to connect to a web server and transfer data over the web. But this protocol is not secure, which means that an evil-minded third party could intercept and read such data.
Its secure variant, the Secure HyperText Transfer Protocol (HTTPS) adds a Secure Socket Layer (SSL) / Transfer Layer Security (TLS) protocol to HTTP. Not only does this additional protocol ensure data integrity and encryption (which makes it unreadable by a third party) during transmission, it also allows the holder of an SSL/TLS certificate used on a website to be authenticated, thanks to a "padlock" icon displayed next to the URL in the user's browser. This authentication is done through the use of a X509 digital certificate issued by a Certificate Authority (CA).
Worldline Sips data flows exchanged via the web are secured by using TLS version 1.2.
The TLS protocol consists of:
- A "negotiation" between the customer and the server ("handshaking"), during which cryptographic algorithms (also referred to as the "cipher suite") are negotiated based on the customer's and server capabilities, with the creation of a session key at the end of this phase.
- a session during which the session key is used to securely exchange data.
Availability of services
Architecture
The Worldline Sips solution is a bi-site implementation to provide a disaster recovery plan across all layers, systems, and applications.
Each Worldline Sips technical component on each site and the file transfer platform are redundant and configured for load balancing.
If a unit equipment is down, the load distribution is automatically adapted by eliminating the faulty equipment from the flow.
The disaster recovery plan will be activated to deal with extreme faulty situations: fire, water damage, major accident, seismic or weather phenomenon, flood, air conditioning failure, loss of power, loss of telecommunications equipment, hardware failure (DRP), jeopardisation of staff availability, etc.
Business continuity Plan (BCP) approach
To ensure the resuming or continuity of critical business, Worldline has implemented a Business Continuity Plan (BCP).
This continuity plan is not limited to the continuity of services/applications, it also takes into account the retreat of users, the health risk (epidemic, pandemic), the coordination steps for crisis management (labour contrainsts, crisis centre, etc.), crisis communication, business-related workaround measures, cross-functional positions (HR, logistics).
Business continuity plan tests are conducted every year and are intended to test that all Worldline Sips service URLs are able to accommodate all flows on a single site in the event of a major incident.
Using 3-D Secure
Implemented by Visa and Mastercard under the respective trade names Verified by Visa and MasterCard SecureCode, 3-D Secure allows you to limit the risks of internet fraud, related to misused identity attempts.
If you have subscribed to the 3-D Secure service, this subscription offers security benefits for both the internet user and yourself: you can be sure your customer is the holder.
For more information on this service, please refer to our 3-D Secure guide.
Fraud risk management
Worldline has a fraud risk management offer based on:
- self-management of fraud control criteria and, therefore, of transaction blocking (Go-No-Go solution) according to your criteria and business requirements
- transaction reliability assessment by computing a score associated with the transaction (Business Score solution).
- the presence of an anti-carding system to discourage the huge generation of transactions using stolen or generated card numbers (carding).
Certification and standards
PCI DSS
PCI DSS is an international security standard whose objectives are to ensure the confidentiality and integrity of cardholders’ data, thereby securing card and transaction data protection. Merchants and payment providers are required to comply with this standard, to varying degrees depending on the importance of their business.
Worldline is PCI DSS certified and implements, among other things, the following security actions:
- information system security policy
- premises monitored and protected by access control
- secure servers and backed up data
- regularly audited information system
- highly secure hosting centres
Worldline is responsible for the security of cardholers' data, but the company is not responsible for the PCI DSS compliance of its clients.
Please have a discussion about this with your acquiring institution.
In order to comply with PCI DSS, you are asked to fill in a more or less extensive questionnaire depending on the type of payment solution implemented. This questionnaire is to be returned to your acquiring bank once a year (see the 'SAQ' section).
SAQ
You will need to show your PCI DSS certificate of conformity to your acquiring bank as soon as possible.
This certificate of conformity is declarative and you will be required to complete a Self-Assessment Questionnaire (SAQ) that will allow you to know whether you are compliant or not with the PCI DSS requirements.
So your approach to SAQs is a two-step process:
FIRST STEP: DETERMINE THE LEVEL YOU BELONG TO
Whether you accept a few payments per card per year or millions, you will be classified into one of the following four levels defined by international schemes.
| Level | Type of activity | Actions required for compliance |
|---|---|---|
| 1 | Any merchant processing more than 6 million Visa or
Mastercard transactions per year. Any merchant who has been
compromised. |
On-site security audit (or SAQ for Visa
Europe). Quarterly vulnerability scan (if
e-commerce). |
| 2 | Any merchant processing from 1 to 6 million Visa or Mastercard transactions per year. | Annual self-assessment
questionnaire. Quarterly vulnerability scan (if
e-commerce). |
| 3 | Any merchant processing from 20,000 to 1 million Visa or Mastercard transactions per year. | |
| 4 | Any merchant processing less than 20,000 Visa or Mastercard
e-commerce transactions per year. All other merchants
processing up to 1 million Visa or Mastercard transactions per
year. |
Annual self-assessment questionnaire. Quarterly
vulnerability scan is recommended (if e-commerce) (depends on
whether data is captured, stored, or transmitted by the merchant
infrastructure or by a service provider). |
If in doubt, take the number of transactions per card brand, contact your acquiring bank and ask for confirmation of your level. Acquiring banks have the ultimate decision-making power over the levels of their merchants, so you need to check your assumptions with your bank.
STEP TWO: DETERMINE WHAT YOU NEED TO SUBMIT FOR VALIDATION.
Once you have identified the level you belong to, you will be able to determine what you need to provide to your acquiring bank.
If you are Level 2 to 4, you must complete a self-assessment questionnaire that is appropriate for your activity. Self-assessment questionnaires are documents that contain a series of questions that you must answer.
There are three types of SAQ covering the Worldline Sips offer: A, A-EP AND D.
| Type of SAQ | Description | Number of questions (version
3.2) |
|---|---|---|
| A | Card not present: all payment processing features are
outsourced, no electronic cardholder data storage. Merchants
with no card (e-commerce or mail/phone orders) and that have
completely outsourced all cardholder data features to third-party
service providers that comply with PCI DSS, without storage,
electronic processing or transmission of cardholder data to the
merchant's systems or premises. |
22 |
| A-EP | E-commerce redirected to a third party, PCI compliant
service provider for payment processing, no electronic cardholder
data storage. E-commerce merchants that outsource all payment
processing to PCI DSS-approved third parties and who have one or
more websites that do not directly receive cardholder data but
that can impact the security of the payment transaction. No
electronic storage, processing or transmission of cardholder data
on the merchant's systems or premises. |
193 |
| D-Merchant | All other merchants or those who electronically store cardholder data. | 331 |
GDPR
The General Data Protection Regulation (GDPR) is a regulation put in place by the European Union to oversee the collection and processing of personal data in Europe.
Its purposes are to strengthen the rights of individuals, to empower the various stakeholders with respect to data processing and to give credence to the regulations in place. This regulation is a continuation of the CNIL (Commission Nationale de l'Informatique et des Libertés), a French administrative body created in 1978 to ensure respect for privacy during the computer processing of personal data.
On the other hand, the GDPR terminates the previous reporting obligations to the said CNIL, since the latter may now conduct checks at any time.
To ensure and prove its compliance with privacy, Worldline has followed and implemented the 6 CNIL advisory steps:
- appoint a data protection officer
- map data processing
- define corrective actions
- analyse/manage risks
- set up internal procedures
- document compliance
Challenges
As part of the Worldline Sips offer, Worldline has a subcontractor role (within the meaning of the GDPR, otherwise called "data processor"), on behalf of its customers, who are responsible for processing (within the meaning of the GDPR, otherwise called "data controller").
The challenges are:
- To combat cyber-malicious acts in all their forms, including e-mail diversion, the theft of browser cookies, the spread of malicious files, the theft of bank details, ransomwares.
- To ensure that this data, in the event of a theft, is unusable and therefore incomplete or encrypted.
It is therefore a matter of protecting the people concerned by an appropriate processing of their personal data and of making responsible those involved in such a processing.
Merchant challenges
Personal data that you may be required to collect and/or process is data that identifies an individual in a direct or indirect way:
- examples of direct data -> last name, first name
- examples of indirect data -> login ID, IP address, phone umber, e-mail.
Some of this data is said to be "sensitive": IBAN, social security number, credit card number for example.
Worldline challenges
As a contractor, Worldline has committed to:
- processing personal data only for the purpose of proper service execution
- implementing security standards to provide a high level of security to our services
- notifying you as soon as possible in the event of a data breach
- helping you meet your regulatory obligations by providing you with adequate documentation about our services.
Worldline Sips tracers list
Here is the list of tracers used in the interfaces Worldline Sips:
| Tracer name | Nature of tracer | Tracer type | Aim | Storage period | Supplier |
|---|---|---|---|---|---|
| PAYPAGE_SESSIONID | Cookie | "Necessary" tracer | Retrieves the buyer's payment session. | Payment session | None |
| respctx | Cookie | "Necessary" tracer | Cookie added by network equipment, used to secure requests. | Payment session | None |
| respctx | Session storage | "Necessary" tracer | This variable is stored in the browser session and redirects the browser to the merchant site from which the payment request originated. | Payment session | None |
| X-SDPX-PID (Addition in Jan. 2022) | Cookie | "Necessary" tracer | Stores the identifier associated with the payment request in the logs. Identify resources provided by apaches (images / JS) and track requests for the same payment request. | Payment session | None |
| Tracer name | Tracer nature | Tracer type | Aim | Storage period | Supplier |
|---|---|---|---|---|---|
| SOE_SESSIONID | Cookie | "Necessary" tracer | Allows you to retrieve the user's session. | User session | None |
| TSxxxxxxxx | Cookie | "Necessary" tracer | Cookie added by network equipment, used to secure requests. | User session | None |
| Style | Cookie | "Necessary" tracer | Allows you to retain the user style choice | 1 year | None |
| Tracer name | Tracer nature | Tracer type | Aim | Storage period | Supplier |
|---|---|---|---|---|---|
| MEX_SESSIONID | Cookie | "Necessary" tracer | Allows you to retrieve the user's session (cookie générique). | User session | None |
| Tracer name | Tracer nature | Tracer type | Aim | Storage period | Supplier |
|---|---|---|---|---|---|
| MEX_SESSIONID | Cookie | "Necessary" tracer | Allows you to retrieve the user's session (generic cookie). | User session | None |
| _mc_data | Cookie | "Necessary" tracer | Retrieves information on the previously selected merchant | 2 min | None |
| o_data | Cookie | "Necessary" tracer | Allows you to find the current offer | 1 week | None |
| _static_page_generator_mode | Cookie | "Necessary" tracer | Selects between "SIMPLE" and "EXPERT" mode | 1 week | None |
| Tracer name | Tracer nature | Type du traceur | Aim | Storage period | Supplier |
|---|---|---|---|---|---|
| FRAUD_SESSIONID | Cookie | "Necessary" tracer | Allows you to retrieve the user's session (cookie générique). | User session | None |
| GUIFRAUD_CSRF-TOKEN | Cookie | "Necessary" tracer | Secures REST calls with a token | Session duration | None |
| Tracer name | Tracer nature | Tracer type | Aim | Storage period | Supplier |
|---|---|---|---|---|---|
| DWNLD_SESSIONID | Cookie | "Necessary" tracer | Allows you to retrieve the user's session. | User session | None |
| DWNLD3_CSRF-TOKEN | Cookie | "Necessary" tracer | Secures REST calls with a token | User session | None |
| Tracer name | Tracer nature | Tracer type | Aim | Storage period | Supplier |
|---|---|---|---|---|---|
|
deviceContext | "technical" tracer | Enables incident resolution in the event of technical problems | 190 days | None |
| Tracer name | Tracer nature | Tracer type | Aim | Storage period | Supplier |
|---|---|---|---|---|---|
|
deviceContext | "technical" tracer | Enables incident resolution in the event of technical problems | 190 jours | None |
| Tracer name | Tracer nature | Tracer type | Aim | Storage period | Supplier |
|---|---|---|---|---|---|
| acceptHeader | Browser | "technical" tracer | Content accepted by the browser - Scoring calculation, fraud prevention | Payment session | DS/ACS |
| ip | Browser | "technical" tracer | User IP - Scoring calculation, fraud prevention | Payment session | DS/ACS |
| javaEnabled | Browser | "technical" tracer | Activation of javascript in the browser - Scoring calculation, fraud prevention | Payment session | DS/ACS |
| language | Browser | "technical" tracer | Browser language - Scoring calculation, fraud prevention | Payment session | DS/ACS |
| colorDepth | Browser | "technical" tracer | Color depth - Scoring calculation, fraud prevention | Payment session | DS/ACS |
| screenHeight | Browser | "technical" tracer | Screen size - Scoring calculation, fraud prevention | Payment session | DS/ACS |
| screenWidth | Browser | "technical" tracer | Screen size - Scoring calculation, fraud prevention | Payment session | DS/ACS |
| tz | Browser | "technical" tracer | Time zone - Scoring calculation, fraud prevention | Payment session | DS/ACS |
| userAgent | Browser | "technical" tracer | UserAgent used by the browser - Scoring calculation, fraud prevention | Payment session | DS/ACS |
Other Worldline certifications
ISO 9001
ISO 9001 is an international quality management standard that can be used by all organisations.
This standard specifies the requirements for implementing a quality management system, requirements to be used internally or for certification or contractual purposes. This standard focuses on the effectiveness of the quality management system in meeting customers' requirements.
The 9001 certification is carried out with an external Ernst & Young auditor.
ISO 14001
ISO 14001 is an international standard that specifies requirements for environmental management systems. It is aimed at organisations that want to improve their performance and achieve their environmental and sustainable development goals, in other words, to control and manage their impact on the environment systematically.
The 14001 certification is carried out with an external Ernst & Young auditor.
ISO 27001
ISO 27001 is the internationally recognised standard for information security management in organisations. Security audits are typically structured around this standard.
The standard describes the requirements for the implementation of an Information Security Management System (ISMS).
The ISMS identifies security measures, within a defined scope, so as to guarantee the protection of the organisation's assets.
The goal is to protect functions and information from loss, theft or alteration, and computer systems from any intrusion and disaster.
The 27001 certification is carried out with an external Ernst & Young auditor.
Bancontact Payconiq
As part of its acceptance of Bancontact payment methods (Belgium), Worldline Sips has been certified as compliant with Bancontact security requirements.
Certification audit carried out by Galitt and Bancontact.
At the end of the audit, Bancontact issues a "Full Security Certification" certificate.
