Statement and Purpose - The Cybersecurity Policy (“Policy”) of Google Pay Brasil Instituição de Pagamento Ltda. (“Google Pay”) is based on principles and guidelines aimed at ensuring the confidentiality, integrity and availability of all data and information systems used by Google Pay.
Google Pay adopted Google’s Payments Information Security Program (“the Program”), applicable to Google entities in Brazil and abroad, in addition to specific controls that ensure compliance with local law and regulation, in order to prevent, detect and reduce as much as possible any and all vulnerabilities connected with the cybersecurity environment.
Scope and Disclosure - The Policy applies to and is disclosed to all employees, consultants, agents, contractors, vendor employees and any others working for or providing services to Google Pay with access to the Program’s systems, resources or information. The Policy also applies to all regulated Google Pay payments-related services and operations.
Google Pay’s senior management assists in the dissemination and implementation of the guidelines of the Policy, in order to enable its effectiveness and the ongoing improvement of the Program.
Data Classification - All information collected, processed or maintained by Google Pay (“Payments Information”) is assigned a data classification level to ensure that it receives adequate protection.
Data Protection Principles - Google Pay data protection principles follow the strictest applicable requirements. Technologies and practices meet or exceed industry requirements when it comes to protection of personally identifiable information from unauthorized access, disclosure, or modification, utilizing methods including encryption, monitoring, anomaly detection, access logging and auditing, and protecting all data with measures commensurate to their sensitivity.
Staff Training and Risk Assessment - Google Pay employees are required to take privacy and information security training every year to ensure the appropriate handling and protection of all customer data in compliance with the Program. Google Pay performs risk assessments to identify and mitigate foreseeable risks to the confidentiality, integrity and availability of the Payments Information. The Program’s effectiveness is monitored and periodically reviewed to assess whether its safeguards and controls are sufficient to mitigate business and technical risks.
Physical and Technical Safeguards - Google Pay maintains physical security controls in all its facilities, as well as technical safeguards, to prevent unauthorized access to sensitive information, information destruction, unauthorized disclosure, data tampering, information leaks and cyber-attacks.
All devices with access to Google Pay corporate services must meet configuration security standards specified in the applicable Google Pay guidelines and follow strictly designed operating system and update requirements.
Authentication Policy and Password Requirements - Google Pay also has strict authentication and authorization requirements, protecting its systems against unauthorized access. Authentication is required for access to all systems that provide non-public information. The strength of the authentication mechanism must be compatible with the sensitivity of the information asset(s).
System Engineering Security - Google Pay has robust encryption procedures, which encompass not only data in rest, but also data in transit.
In addition, Google Pay policies and practices ensure that Payments Information is appropriately backed up. Except as otherwise required under Brazilian law and regulation, backup media containing sensitive data will be stored for regulatory/housekeeping purposes and to facilitate service recovery after an incident.
Network Security - All devices having access to Google Pay corporate services should meet network guidelines, including that: (i) accounts that grant access to Google Pay systems must be managed according to applicable policies; (ii) logins to systems should use employee’s corporate accounts and associated credentials; (iii) unused accounts must be disabled or removed from the system; and (iv) authentication of accounts uses a remote authentication system.
Monitoring - Google Pay systems and networks used by Google Pay are appropriately monitored according to the following principles:
- Devices must be configured to log events – each log record being time stamped using microseconds, recorded and written to an appropriate log system
- A response plan for handling security monitoring alerts must be drafted to prevent unauthorized access, data loss and services disruption – such alerts being reported to an Incident Management Team who is responsible for their investigation
- A record of actions performed during the investigation of a security incident must be kept and stored in a secure manner in order to ensure chain of custody
Product Security Assessment - As a rule, all payments products and services, including new features, products, or major modifications to existing products, must complete a comprehensive security review before launch.
Incident Response – Google Pay adopts an incident response plan assessed and approved by its board of directors and subject to test and review at least once a year. This annual test aims to identify changes to processes, controls and documentation needed to better prepare for security incidents.
Business Continuity and Disaster Recovery - Google Pay maintains a business continuity and disaster recovery plan. The plan is followed in the event of a threat to the operations or to the continuity of the business during an emergency or disruptive event.
Policy Review and Approval - The Policy must be reviewed and updated at least annually and submitted to the Google Pay Board of Directors for approval.
Google Pay Brasil Instituição de Pagamento Ltda.