Compliance Peter Oosthuizen Partner Service Team Leader
Contents Overview of Compliance. Telecommunications Regulations. Data Protection Act. Payment Card Industry (PCI) Compliance. Financial Conduct Authority (FCA) Compliance. Summary.
General Organisations must conform to a range of regulatory and legal compliance, i.e. they must comply with standards set out by the regulatory body. Compliance standards cover data in every format. Our customers and partners will need to conform on all levels of compliance however today I will focus on those within the scope of Spitfire services. 1. Data Storage 2. Data Transmission
General Telecommunications Regulations Spitfire s Designed to ensure lawful use of a telephone and to protect against misuse of a telephone (Spam or nuisance Telephony Fraud Prevention Training calls). Free to all Spitfire Partners!! As a PBX maintainer you are required to: Prevent or detect crime to investigate the unauthorised use of a telecom system. To secure the effective operation of the telecom system.
Data Protection Act Data Protection Act The Data Protection Act is a European Union directive. The DPA relates to storing and processing data on an individual, not a company. As a business operating a PBX you are required to: Provide searchable and secure data for any call recording on the system. Provide backup solutions for this data. Advise customers on deployment of these solutions. Calls may be recorded.
DPA Compliance Data Storage Data should not be stored without valid business reason Data should not be stored longer than necessary Data should be kept accurate and up to date Data must be processed with owner s permission and used for lawful purposes only Personal data not excessive to that of the purpose the data is being obtained. Data Transmission No compliance standards on transmission however you are responsible for the data wherever it resides therefore encryption would be recommended.
Payment Card Industry (PCI) PCI Payment Card Industry A standard set out by the PCI Security Standards Council that MUST be followed by anyone who processes credit cards. PCI Data Security Standards provides guidelines for the following: The storage of cardholder data The transmission of cardholder data
PCI Compliance PCI DSS classes credit card related data into three types: 1. Primary Account Number 2. Cardholder Data 3. Sensitive Authorisation Data
PCI Compliance Data Storage 1. PAN If stored then must be secure and must be encrypted 2. CD If stored then must be secure but no encryption required. 3. SAD Must not be stored beyond processing the transaction. Put simply: There is no requirement to store credit card data however compliance must be followed IF data is stored TO MEET PCI COMPLIANCE FOR DATA STORAGE, DO NOT STORE CREDIT CARD DATA.
PCI Compliance Data Transmission 1. Across secure network (LAN/MPLS) Physically or logically separated. LAN or vlan for PCI traffic Firewall protected Access monitored 2. Across open public network (Internet, Wifi, GSM Mobile etc) Strong encryption required Data should not be sent via SMS, IM, email etc
PCI Compliance To comply to PCI DSS customers will be looking for the following on their PBX: Redact card details from recordings white noise If they want to store data then store recordings within a secure network Utilise a firewall within the LAN Manage security between PCI and voice and data networks All of the above impact the design and deployment of any telecoms solution. Network topology, wireless access points, managed router & firewall, PBX location. Spitfire will help design a network to ensure compliance is met. This may include additional LANs or vlans with special security polices. Retail company using MPLS Retail company over open network
Financial Conduct Authority (FCA) FCA requires a business to retain records of specific telephone conversations and electronic communications of client order services that relate to the reception, transmission and execution of client orders and proprietary trading. FCA compliance is relevant to all firms that receive client orders and negotiate, agree and arrange transactions across the equity, bond and financial commodity and derivatives markets. Banks, Stockbrokers, Investment Managers, Financial Advisors etc Whereas PCI compliance is about NOT recording specific data, FCA compliance is about recording ALL related data.
FCA Compliance Data Storage Data must be stored for a minimum of 6 months. Sometimes up to 5 years depending on type of data/transaction etc. Data must be accessible to the FCA when they require. It must not be possible for data to be altered or manipulated. Data Transmission All calls discussing clients financial matters must be recorded (encryption required). Reasonable efforts must be made outside a controlled environment to record all financial discussions (mobile phone, golf course).
FCA Compliance To comply to FCA regulations customers will be looking for the following on their PBX : Record and store all telephony data This data must be encrypted so it cannot be altered. Ability to backup and search for this data when required. The above impacts any telephony solution implemented to an FCA regulated business. Network topology, managed router & firewall, PBX location, encryption FCA compliance can only be implemented if both the PBX and LAN topology are appropriately planned. Both must be considered when implementing a telecoms solution. IFA working from a mobile at home
Summary 99% of businesses need to meet some level of compliance. For those maintaining PBX solutions, this compliance liability goes one step further to ensuring your customers PBX is secure etc. Industry specific compliance is more complex so customers must be aware of what standards they are required to meet. It is extremely important to consider the LAN/WAN configuration and telephony solution when adhering to both PCI and FCA compliance. For any customers you feel may not be meeting compliance, please discuss with Spitfire.