Data Privacy and Security

At NCR, we’re proud of our data protection, cybersecurity and privacy programs.

Our board of directors’ risk committee provides oversight of these programs, along with oversight from several members of our executive leadership team, including the chief operations officer, general counsel, chief information officer and chief technology officer. Our vice president, chief information security officer and vice president, chief privacy officer are responsible for managing these programs. Our vice president, chief ethics & compliance officer provides additional support.

We operationalize data protection and security programs through the development, maintenance and enforcement of numerous policies and procedures. The personal information and other data that we process and store are increasingly subject to data security and privacy obligations and laws of many jurisdictions, which are growing in complexity and sophistication. NCR:

• Invests in and supports data protection and security
• Performs risk assessments and audits on technology and practices affecting data
• Evaluates the governance of our programs
• Conducts training and awareness-raising
• Maintains cross-functional teams focused on data protection and security

Under the direction of NCR’s Chief Security Officer and Chief Information Security Officer, the Global Information Security organization is responsible for implementing and maintaining an information security program with the goal to protect information technology resources and protect the confidentiality and integrity of data gathered on our people, partners, customers, and business assets. The Global Information Security organization relies on operational teams to engineer, operate and maintain the security infrastructure.

NCR has established management measures in place to respond quickly, effectively, and appropriately to a suspected security or privacy incident. NCR’s  data security program also includes:

• Maintenance of the ISO 27001 certification for certain locations throughout the United States, Europe, and India
• Third-party audits for PCI-DSS, PA-DSS and SSAE-18 SOC2 for certain service offerings
• A robust information security awareness and training program
• Corporate insurance that includes certain information security risk policies that cover network security, privacy and cyber events
• Maintenance of the NCR Privacy Policy

All employees (including full-time, part-time, and contract workers) with access to the NCR network must complete information and security awareness training within 30 days of hire, as well as an annual refresher course. NCR performs regular testing to ensure that employees can identify email “phishing” attacks and remain vigilant against potential data privacy and security threats. We protect and prevent attacks on our data through various information technology and data protection mechanisms. We are leveraging relationships with cybersecurity firms and internal cybersecurity experts along with the processes listed below:

• Firewalls and intrusion prevention systems
• Denial of service detection
• Identity management technology
• Anomaly-based detection
• Anti-virus/anti-malware
• Endpoint encryption
• Security analytics
• Detection and response software
• Security Information and Event Management (“SIEM”) system
• Multi-factor authentication and encryption

We have established management measures to respond quickly, effectively, and appropriately to suspected security or privacy incident. We also regularly evaluate our protections against incidents, including self-assessments and expert third-party assessments. We periodically enhance those protections as part of the efforts to stay current with advances in cybersecurity defense. When we confirm a cybersecurity incident, we immediately perform root cause analyses and implement additional controls based on those analyses in appropriate instances.