Information Security and Cybersecurity Policy

Click here to access the PDF.

 

Review History

Version: Date of Review: History:
1 6/3/2014 Document creation.
11/13/2014 Given that there were no changes, the document has been revalidated for another two years by the Internal Control Officer, Mr. Eduardo Magalhães, therefore, no new version will be created.
2 6/26/2015 Inclusion of the following items: Scope (II), Additional Documentation (III) and Miscellaneous (VIIIs);
Update of the following items: Concepts and Acronyms (IV), Responsibilities (V) and Consequence Management (VII).
3 7/7/2017 Update of the following items: II. Scope; III. Additional Documentation, IV. Concepts and Acronyms and subitems 1.2 and 1.4 of VI. Guidelines.
4 10/29/2019 Update of the Policy title to “Information Security and Cybersecurity”;
Amendment to items I. Purpose, II. Scope, III. Guidelines (sub-items 1.1, 1.2, 1.3 and 1.4), V. Responsibilities, VI. Additional Documents, VII.
Concepts and Acronyms, and VIII. Miscellaneous;
Inclusion in item III. Guidelines of sub-items 1, 1.1.1, 1.1.2, 1.1.3, 2, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 2.10, 2.10.1, 2.10.2, 2.10.3 and 2.11
5 6/29/2020 Amendment to the following items: II. Scope; III. Principles, Rules and Procedures – subitems 1.1.4,1.4, 2., 2.1, 2.2; V. Responsibilities; VI Additional Documentation; and VII. Concepts and Acronyms.
Inclusion of subitems 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.2.1, 2.2.2., 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16 to item III. Principles, Rules and Procedures.
Exclusion of subitems 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 2.10, 2.10.1, 2.10.2, 2.10.3, 2.11. from item III. Principles, Rules and Procedures
6 4/26/2021 Update of sub-items 1.1.4, 1.1.5, 1.1.6, 1.2, 2.2.12, 2.2.15.2 of item III. Principles, Rules and Procedures. Amendments to items V. Responsibilities and VI. Additional Documents.

 

I. Purpose

Establish guidelines that allow Cielo SA (“Cielo” or “Company”) to safeguard its information assets, guide the definition of specific rules and procedures for Information Security and Cybersecurity, and implement controls and procedures to reduce the vulnerability of Incidents.

II. Scope

All managers (members of the Board of Executive Officers, members of the Board of Directors and members of the Advisory Committees), members of the Fiscal Council, employees and service providers of Cielo S.A., Servinet Serviços Ltda., Braspag Tecnologia em Pagamentos Ltda., Aliança Pagamentos e Participações Ltda. and Stelo S.A., hereinafter referred to as (“Cielo” or “Company”).
All Company subsidiaries must define their guidelines based on the guidance provided for in this Policy, considering the specific needs and legal and regulatory aspects to which they are subject.
Regarding its Affiliates, the Company’s representatives acting as management members of the Affiliates must spare no effort for said companies to define their guidance based on the guidelines provided for in this Policy, considering the specific needs and legal and regulatory aspects to which they are subject.

III. Principles, Rules and Procedures 

1. Regarding information security:

1.1. guarantee information security, the Company carries out its activities based on the following pillars:
1.1.1. Confidentiality: ensure that the information will only be accessible to authorized persons;
1.1.2. Integrity: ensure that information, stored or in transit, will not undergo any unauthorized change, whether intentional or not;
1.1.3. Availability: ensure that the information will be available whenever necessary.
1.1.4. Authenticity: ensure that the information is from the original source and has not been altered.
1.1.5. Irrevocability or non-repudiation: guarantee that the legitimate author of the information cannot repudiate authorship, such as, for example, when accepting a digital contract using access credentials, it is understood that the acceptor cannot later deny his/her signature.
1.1.6. Compliance: ensure that the Company’s processes are in accordance with the regulations, rules and laws in effect, in order to strictly follow all the protocols required in the sector in which the Company operates as a result of its activities.
1.2. Cielo considers that information assets is all information generated or developed for the business and can be present in the form of digital files, consent of customers and persons related to Cielo (opt-in and opt-out), equipment, external media, printed documents, digitally signed documents, systems, mobile devices, databases, conversations and recordings.
1.3. The Company establishes that, regardless of the way presented, shared or stored, the information assets must be used only for their duly authorized purpose and are subject to monitoring and auditing.
1.4. Cielo establishes that all information assets owned by it must have a person in charge for them and must be duly classified based on criteria established in a specific regulation and properly protected from any risks and threats that may compromise the business.

2. General Cybersecurity Guidelines:

2.1. With regard to cybersecurity, Cielo has the following general guidelines:
2.1.1. Safeguard data protection against unauthorized access, as well as against unauthorized modifications, destruction or disclosure;
2.1.2. Properly classify the information and guarantee the continuity of their processing, according to the criteria and principles provided for in the internal regulations in force on the matter;
2.1.3. Ensure that systems and data under its responsibility are properly protected and used only for the fulfillment of its duties;
2.1.4. Ensure the integrity of the technological infrastructure in which data is stored, processed or otherwise treated, adopting the necessary measures to prevent logical threats, such as viruses, harmful programs or other failures that may lead to unauthorized access, manipulation or use of internal and confidential data, through: (i) the maintenance of installed and updated antivirus and firewall software and (ii) the maintenance of computer programs installed in the environment, among others; and
2.1.5. Comply with the laws and rules that regulate Cielo’s activities.
2.2. In order to comply with the guidelines listed above:
2.2.1. Cielo’s cybersecurity purpose is to prevent, detect and reduce vulnerability to incidents related to the cyber environment.
2.2.2. With regard to security measures, Cielo adopts procedures and controls to reduce the Company’s vulnerability to incidents and meet cybersecurity objectives, including: authentication, encryption, intrusion prevention and detection, prevention of information leakage, periodic testing and scanning to detect vulnerability, protection against malicious software, implementation of traceability mechanisms, access controls and segmentation of the computer network and the maintenance of backup copies of data and information, according to current internal regulations.
2.2.3. The Company controls, monitors and restricts access to information assets granting permission and privileges to the fewest people possible, pursuant to specific internal rules.
2.2.4. Cielo implements the procedures and controls mentioned above, including in the development of secure information systems and adoption of new technologies used in its activities.
2.2.5. The Company has specific controls, including those aimed at traceability of information, which seek to ensure the security of sensitive information.
2.2.6. Registering, analyzing the cause and impact and controlling the effects of incidents relevant to the Company’s activities, including the information received from companies providing services to third parties.
2.2.7. Cielo prepares inventories of cyber crisis scenarios related to security incidents taken into consideration in continuity tests of payment services provided and carries out annual tests to ensure the effectiveness of the processes, and prepares an annual incident response report in its technological environment.
2.2.8. Cielo classifies security incidents according to their relevance and to (i) the classification of the information involved; and (ii) the impact on the Company’s business continuity, described in specific internal rules.
2.2.9. Cielo periodically assesses service provider companies that carry out the treatment of information relevant to the Company in order to monitor the maturity level of its security controls for the prevention and proper handling of incidents.
2.2.10. The Company has criteria for classifying the relevance of data processing and storage and cloud computing services, in Brazil or abroad, according to internal procedures.
2.2.11. Prior to contracting relevant data processing and storage and cloud computing services, the Company adopts the procedures set forth in specific BACEN regulations on the topic in effect.
2.2.12. Prior to contracting service providers that handle sensitive information or data or data that are relevant to the Company’s operational activities Cielo evaluates whether they adopt procedures and controls aimed at the prevention and treatment of incidents in complexity, comprehensiveness and accuracy levels compatible with those adopted by Cielo.
2.2.13. It establishes rules and standards to ensure that information receives the appropriate level of protection as to its relevance, in accordance with internal regulations. All information has an owner, is mandatorily classified and receives the appropriate controls that guarantee its confidentiality, in accordance with good market practices and regulations in force.
2.2.14. The Company carries out actions to prevent, identify, record and respond to security incidents and crises that involve Cielo’s technological environment and which may compromise the pillars of information security or generate image, financial or operational impact. The definition of relevance of incidents in the technological environment follows a corporate risk standards established in specific regulation.
2.2.15. It adopts mechanisms to disseminate the information security and cybersecurity culture at the Company, including:
2.2.15.1. The implementation of an annual training program for employees;
2.2.15.2. The implementation of a periodic assessment program for employees regarding their level of knowledge on the subject of information and cybersecurity;
2.2.15.3. The provision of information to end users on precautions in the use of products and services offered; and
2.2.15.4. Senior management’s commitment to the continuous improvement of procedures related to information security and cybersecurity.
2.2.16. Cielo adopts initiatives to share information about significant incidents through membership in discussion forums.

IV. Consequence Management

Employees, suppliers or other stakeholders who see any deviations from the guidelines of this Policy may report the fact to the Ethics Channel (https://canaldeetica.com.br/cielo or 0800 775 0808), and may identify themselves or remain anonymous.
Internally, those who do not comply with the guidelines of this Policy will be subject to accountability measures based on the seriousness of such non-compliance.

V. Responsibilities

  • Management and Employees: comply and ensure compliance with this Policy and, when necessary, contact the Vice-Presidency for Technology and Projects to get information on situations that relate to conflict with this Policy or with situations described herein. It is essential that each person understands the role of information security in their daily activities and participate in awareness programs.
  • Risk, Compliance, Prevention and Security Office: comply with the guidelines established in this Policy and annually update it in order to ensure that any changes in Cielo’s direction be included into it and clarify any doubts regarding its content and application.
  • Management, Employees, Suppliers and Contractors: act in an ethical and responsible manner when becoming aware of incidents, sharing information with those responsible for dealing with such incidents in a timely manner and taking all the applicable actions to minimize potential damage, in accordance with the Incident Response Plan – CSIRT Cielo.
  • Board of Directors: after prior assessment by the Advisory Committees, resolve on the annual approval of (i) the report on the implementation of the action and incident response plan to comply with Cielo’s Information Security and Cybersecurity Policy and (ii) the Incident Response Plan – CSIRT Cielo.
  • Information Security and Fraud Prevention Manager Forum: act proactively, supporting Information Security management by performing tasks related to the protection of Cielo’s business and its customers’ business.

VI. Additional Documents

  • Cielo’s Code of Ethical Conduct
  • Incident Response Plan – CSIRT Cielo
  • PCI-Data Security Standard
  • ABNT NBR ISO 27001 – Information Security
  • BACEN Circular Letter 3909/18
  • Internal standards and procedures constantly improved, approved by the competent levels and made available to all employees.
  • Law 13,709, of August 14, 2018 – Brazilian General Data Protection Act (LGPD).
  • Law 12,965, of April 23, 2014 – Brazilian Internet Framework;

VII. Concepts and Acronyms

  • Information Security: Set of concepts, techniques and strategies that aim to protect Cielo’s information assets.
  • Cybersecurity: Set of technologies, processes and practices designed to protect networks, computers, systems and data from attacks, damages or unauthorized access.
  • Stakeholders: Relevant public with interests relevant to the Company, as well as persons or entities that take some type of risk, direct or indirect, before the society. These include, among others, shareholders, investors, employees, society, customers, suppliers, creditors, governments, regulatory bodies, competitors, press, associations and class entities, users of electronic payment methods and non-profit organizations.
  • Affiliates: companies in which the Company holds at least a ten percent (10%) interest on their share capital, without, however, controlling them, as per article 243, paragraph 1 of Brazilian Corporate Law.
  • Subsidiaries: companies in which the Company, directly or indirectly, holds rights as a partner or shareholder that permanently ensure it preponderance in social resolutions and the power to elect the majority of managers, as per article 243, paragraph 2 of Brazilian Corporate Law.
  • Customers: commercial establishments accredited to the Cielo System.
  • Data and/or Information: all data referring to the activities carried out by Cielo in the performance of its corporate purpose, including data from Customers, personal or not, and classified according to the specific internal rule on the matter.
  • Incidents: Any occurrence that actually or potentially compromises the confidentiality, integrity or availability of an information system or information that the system processes, stores or transmits or that constitutes violation or imminent threat of a breach of security policies, security procedures or acceptable usage policies.
  • Service Provider: individual or legal entity, duly hired by Cielo to provide: (i) technology services; (ii) storage or any form of data and information treatment services; or (iii) who may have access, because of the scope of their contract, to confidential data, as classified in this Policy.
  • Cyber Risks: risks arising from cyber attacks, originating from malware, social engineering techniques, invasions, network attacks (DDoS and Botnets) and external fraud, among others, that may expose Cielo’s data, networks and systems, causing financial damage and/or significant reputation damages, which may impair the continuity of Cielo’s activities.

VIII. Miscellaneous

The Company’s Board of Directors is responsible for amending this Policy whenever necessary.
This Policy will become effective as of its date of approval by the Board of Directors and revokes any documents, unless otherwise stated.