Information Security DiligenceReward Gateway Australia - March 2015

The security of your employee data is our most important task

Overview of security standards

The security of employee data in Australia is our single highest priority.

We invest heavily in people, processes and other resources for Information Security (IS). Reward Gateway’s data security provisions are second to none and have been through some of the toughest tests and accreditations by government and corporate clients in Australia and elsewhere including McDonalds, Vodafone, American Express and IBM.

Key points at a glance

1 Reward Gateway has achieved the tough, international security accreditation of ISO 27001:2005 (Information Security Management System) accreditation for its technology platform, discounts system.

2 We use an ultra-secure datacentre “The Bunker” to house and manage our data. It is separately accredited to ISO 27001

3 3 Our systems are tested daily by Alertsite.com and annually by an external penetration test agency.

Since 2009, we have held the tough, international accreditation for Information Security Management : ISO27001.In June 2009, Reward Gateway became fully accredited by BSi to the stringent ISO 27001 international security standard. The scope of our assessment covered all of our operations around the world.

BSi’s strict three stage auditing process takes over a year and comprises multiple visits by their assessor.

Systems, processes, procedures, staff training and governance are all strictly vetted.

We have a full reassessment every year, with our latest in April 2014 in which no non-conformances were identified.

All employee data that we hold is kept at The Bunker, an ultra-secure datacentre.

The Bunker is an ex military nuclear command & control centre and benefits from multiple levels of extreme physical security.

Processes, change control and authorisation rules are also strict as The Bunker holds its own, separate ISO 27001 security accreditation.

Credit Card Security - PCI DSS Compliance

As a business that takes credit and debit card payments online and over the phone we are subject to the Payment Card Industry Data Security Standard (PCI-DSS).

These standards, developed in collaboration with card providers such as Visa, MasterCard and American Express, specify what should and what should not be done during a transaction, and have the specific aim of reducing fraud.

Our payment card processing system has full PCI DSS Merchant Compliance.

External testing and accreditation

We carry out an annual, external penetration test each year. We also subscribe to a web service called Qualysguard which carries out a more basic automated test every week.

Multi-tiered security architecture

We operate a multi-tiered approach to safeguarding of data against unauthorised access:

Tier 1: Physical data security

All employee data is housed in our secure server cluster which is located at The Bunker secure datacentre. The Bunker is an ex-military command and control centre designed with protection against nuclear attacks that has been converted into a datacentre with the highest standards of physical security. This ensures that our servers themselves are secured against physical attack. We can supply more details on the levels of security afforded by The Bunker and more information is available at www.thebunker.net.

Physical security at all of our global offices are maintained through, among other measures, the use of digitally recorded CCTV, re-enforced doors and individually identifiable fobs at all entry points. Our office servers are protected by two layers of locked physical access and electronic access controls.

Tier 2: System and Application Security

We use a wide range of techniques to maintain logical data security of our systems. For security reasons we do not reveal full details of these; they include but are not limited to:

HR Policies, employment contracts and robust training schedules are in place enforcing data security and privacy and ensuring that all staff are aware of the critical role they play in maintaining the security of our data.

Although we have a strict policies with staff preventing the downloading of any employee data onto laptops and computers, we also have additional preventative measures in place. It is impossible through the admin control panel of our systems to actually perform an extract or dump of the database and in addition we use encrypted hard disks on all PC’s and laptops as an additional level of protection.

● SSL encryption

● Decoy admin login pages

● Forced complex password system for admin and

management logins

● Time and day based login restrictions for admin

and management consoles

● IP address login restrictions for admin and

management consoles

● Multi-tier admin and management user logins

maintaining lowest “need to know” security

authentication for Reward Gateway’s own staff.

● Full admin and management system login audit trail

● Auto-lockout of systems after multiple incorrect

password attempts preventing brute force attacks

External Penetration Testing

Annually, we commission an independent, qualified assessor to conduct a remote security review of our web-based applications. The URL’s tested are vip.rewardgateway.com.au and manage.rewardgateway.com.au.

The assessors use vulnerability testing software and manual techniques, both unauthenticated and authenticated with appropriate user credentials.

The testing methodology is based on best practice as described by the Open Web Application Security Project (OWASP). The OWASP organisation provides awareness about web application security and is widely recognised within commercial and government sectors.

The following areas are tested:

● Information Gathering Authentication Data Validation Error Handling

● Target Information● Reward Gateway supplied targets listed below.● Period of Testing● Business Logic Session Management Access Control Server

Configuration

Further tests undertaken by clients

In addition to our own tests, several of our clients conduct their own third party penetration tests. Reward Gateway has successfully been through penetration tests by a variety of clients who used NCC as their consultant.

In addition we have successfully completed the American Express Project Governance Board process which included security audits and site visits to both our office premises and the Bunker hosting.

We are always happy to work with clients who would like to undertake their own testing or audit.

Classification on findings

The penetration test results in a list of findings which are categories as to severity. This is as follows :

Critical Critical vulnerabilities are those wherein an attacker may have the ability to execute commands on the server or retrieve and modify private information. These should be corrected urgently.

High High vulnerabilities are generally, the ability to view source code, files out of the web root, and sensitive error messages. These should be corrected urgently.

Medium Medium vulnerabilities indicate non-HTML errors or issues that could be sensitive. These should be corrected as soon as possible.

Low Low vulnerabilities are those indicative of interesting issues, or issues that could potentially become higher ones. These should be addressed as time permits

Current Penetration Test Results

Reward Gateway conducts a penetration test annually and the last test was conducted by First Base Technologies, West Sussex, BN43 5DD, UK. Rob Shapland was the penetration tester and the project was overseen by Peter Wood, Chief of Operations.

Testing Credentials

The consultants at First Base are UK Government Security Cleared. First Base Technologies is a Registered Security Specialist with the British Computer Society and employ Certified Information Systems Security Professionals. They are also members of the Information Systems Security Association

ISMS Penetration Test Policy

Reward Gateway’s policy is to disclose to aspects of the annual penetration test results.

We disclose the number and nature of any Critical vulnerabilities found along with details and progress of what is being done to mitigate them.

We disclose the number and nature of any High or Medium vulnerabilities found that remain open 21 days after the penetration test.

For security reasons further information on the penetration test results is not made available. Clients requiring more detailed information are able to arrange to conduct their own test.

Results of the test December 2014

Results are as follows:

Reward Gateway’s Board has therefore concluded that the penetration test for 2014 has been successful and no further actions are required.

The company continues to view security as an unfinished, ongoing issue subject to continual assessment and improvement. We intend to continue driving improvements wherever they can be identified.

4. Next Scheduled Penetration Test

Our next annual penetration test is scheduled for December 2015. Testing will be undertaken twice, once from the UK with a UK consultant and separately from Australia with an Australian based consultant

Part 1 : Number of Critical vulnerabilities found 0 (Zero)

Part 2 : Number of High or Medium vulnerabilities found that remained open 21 days after the test 0 (Zero)

Document History

This document is provided for the exclusive purpose of evaluating Reward Gateway’s services and contract provision capability. It must not be passed to any 3rd party without the express written permission of Reward Gateway PTY Ltd. The information in this document is confidential. This document is owned by Veronica Walker, Retail Operations Manager.

Date of Issue Reason Author

Issue 3 26 August 2011 First Australian specific release Alison Crosland, COO

Issue 4 7 September 2012 General updates, certificates, etc Sarah Millward, Compliance Team

Issue 4.1 1 November 2012 General Updates Veronica Walker, ISMS Team

Issue 4.2 8 January 2014 Name change and other general updates Veronica Walker, ISMS Team

Issue 4.3 30 July 2014 General updates, certificates, etc Veronica Walker, ISMS Team

Issue 4.4 12 March 2015 General updates, certificates, pen test results, etc Veronica Walker, ISMS Team

Issue 4.5 20 March 2015 Reformatted to slide deck, general updates Jenni Yates, Head of Client Support