Compliance. Peter Oosthuizen Partner Service Team Leader

Similar documents
Qualified Integrators and Resellers (QIR) TM. QIR Implementation Statement, v2.0

Payment Card Industry - Data Security Standard (PCI-DSS)

Data Protection Policy

NIPPON VALUE INVESTORS DATA PROTECTION POLICY

Enviro Technology Services Ltd Data Protection Policy

Privacy notice. Last updated: 25 May 2018

Payment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard

Data protection policy

HBW LAW LTD T/A HESELTINE BRAY & WELSH

Table of Contents. PCI Information Security Policy

Plus500UK Limited. Website and Platform Privacy Policy

University of Sunderland Business Assurance PCI Security Policy

Credit Card Data Compromise: Incident Response Plan

CURTIS BANKS LIMITED. Privacy Information Notice. curtisbanks.co.uk

Data protection. 3 April 2018

Blue Alligator Company Privacy Notice (Last updated 21 May 2018)

Safeguards on Personal Data Privacy.

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

MiContact Center Business Important Product Information for Customer GDPR Compliance Initiatives

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

KSi Malta Privacy Policy

Designing Polycom SpectraLink VoWLAN Solutions to Comply with Payment Card Industry (PCI) Data Security Standard (DSS)

Motorola Mobility Binding Corporate Rules (BCRs)

The information we collect

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018

Guide to Simple Network Design PCATS Recommendation, April 14, 2011

TIA. Privacy Policy and Cookie Policy 5/25/18

Application for Advice and Assistance

SIP Trunks. PCI compliance paired with agile and cost-effective telephony

Please let us know if you have any questions regarding this Policy either by to or by telephone

Cognizant Careers Portal Terms of Use and Privacy Policy ( Policy )

Little Blue Studio. Data Protection and Security Policy. Updated May 2018

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Alcatel-Lucent 1357 ULIS

Data Protection Policy

Toucan Telemarketing Ltd.

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

We may change the privacy notice from time to time by amending this page. What type of information will we collect from you?

Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)

Telecoms Privacy Policy

INNOVENT LEASING LIMITED. Privacy Notice

GDPR Compliant. Privacy Policy. Updated 24/05/2018

GUIDE TO STAYING OUT OF PCI SCOPE

SMS SERVICE PROVISION

Elders Estates Privacy Notice

Reference Offer for Wholesale Roaming Access

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Smart guide to mobile call recording for MiFID II

RETIREMENT ACCOUNT APPLICATION FORM. Share Dealing

HF Markets SA (Pty) Ltd Protection of Personal Information Policy

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

PS Mailing Services Ltd Data Protection Policy May 2018

PCI DSS Compliance. White Paper Parallels Remote Application Server

Curatrix. How can Curatrix Communications help your business? Communications. Connecting your Business

Access to personal accounts and lawful business monitoring

UKIP needs to gather and use certain information about individuals.

Achieving PCI Compliance: Long and Short Term Strategies

PRIVACY NOTICE WHO WILL PROCESS YOUR PERSONAL INFORMATION? WHY IS YOUR PERSONAL INFORMATION REQUIRED?

This procedure sets out the usage of mobile CCTV units within Arhag.

Canada Life Cyber Security Statement 2018

Introducing. Worldpay Total. Worldpay international omni-channel payment solution

Bend Mailing Services, LLC, dba BMS Technologies ( us, we, or our ) operates the website (the Service ).

Project Better Energy Limited s registered office is Witan Gate House, Witan Gate West, Milton Keynes, Buckinghamshire, MK9 1SH

We may change the privacy notice from time to time by amending this page.

Captivacruises.com Privacy policy

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

STUDENT ACCEPTABLE USE OF IT SYSTEMS POLICY

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

An overview of mobile call recording for businesses

Safeguarding Cardholder Account Data

DATA PROTECTION AND PRIVACY POLICY

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

Best Practices for PCI DSS Version 3.2 Network Security Compliance

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

The Honest Advantage

in PCI Regulated Environments

What kind of information do you collect, when and how?

Personal Data & Privacy Policy Statement

Data Sheet The PCI DSS

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Privacy Notice for firstdirect.com

1. General provisions

PRIVACY NOTICE STORM RECRUITMENT UNIT 11, 2 ND FLOOR CHARLESLAND CENTRE, GREYSTONES, CO. WICKLOW 1. INTRODUCTION

Oracle Database Vault

Simplify PCI Compliance

Payment Card Industry Data Security Standard (PCI DSS) Incident Response Plan

Data security statement Volunteers

Subject: Kier Group plc Data Protection Policy

TERMS AND CONDITIONS FOR THE USE OF THE WEBSITE AND PRIVACY POLICY

DATA PRIVACY & PROTECTION POLICY POLICY INFORMATION WE COLLECT AND RECEIVE. Quality Management System

Chapter 10. Glossary

KantanMT.com. Security & Infra-Structure Overview

Financial scams. What to look for and how to avoid them.

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

What options NETIM offers, including those related to gaining of access to and updating of information.

Privacy Policy Effective May 25 th 2018

Incident Policy Version 01, April 2, 2008 Provided by: CSRSI

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Security Update PCI Compliance

Transcription:

Compliance Peter Oosthuizen Partner Service Team Leader

Contents Overview of Compliance. Telecommunications Regulations. Data Protection Act. Payment Card Industry (PCI) Compliance. Financial Conduct Authority (FCA) Compliance. Summary.

General Organisations must conform to a range of regulatory and legal compliance, i.e. they must comply with standards set out by the regulatory body. Compliance standards cover data in every format. Our customers and partners will need to conform on all levels of compliance however today I will focus on those within the scope of Spitfire services. 1. Data Storage 2. Data Transmission

General Telecommunications Regulations Spitfire s Designed to ensure lawful use of a telephone and to protect against misuse of a telephone (Spam or nuisance Telephony Fraud Prevention Training calls). Free to all Spitfire Partners!! As a PBX maintainer you are required to: Prevent or detect crime to investigate the unauthorised use of a telecom system. To secure the effective operation of the telecom system.

Data Protection Act Data Protection Act The Data Protection Act is a European Union directive. The DPA relates to storing and processing data on an individual, not a company. As a business operating a PBX you are required to: Provide searchable and secure data for any call recording on the system. Provide backup solutions for this data. Advise customers on deployment of these solutions. Calls may be recorded.

DPA Compliance Data Storage Data should not be stored without valid business reason Data should not be stored longer than necessary Data should be kept accurate and up to date Data must be processed with owner s permission and used for lawful purposes only Personal data not excessive to that of the purpose the data is being obtained. Data Transmission No compliance standards on transmission however you are responsible for the data wherever it resides therefore encryption would be recommended.

Payment Card Industry (PCI) PCI Payment Card Industry A standard set out by the PCI Security Standards Council that MUST be followed by anyone who processes credit cards. PCI Data Security Standards provides guidelines for the following: The storage of cardholder data The transmission of cardholder data

PCI Compliance PCI DSS classes credit card related data into three types: 1. Primary Account Number 2. Cardholder Data 3. Sensitive Authorisation Data

PCI Compliance Data Storage 1. PAN If stored then must be secure and must be encrypted 2. CD If stored then must be secure but no encryption required. 3. SAD Must not be stored beyond processing the transaction. Put simply: There is no requirement to store credit card data however compliance must be followed IF data is stored TO MEET PCI COMPLIANCE FOR DATA STORAGE, DO NOT STORE CREDIT CARD DATA.

PCI Compliance Data Transmission 1. Across secure network (LAN/MPLS) Physically or logically separated. LAN or vlan for PCI traffic Firewall protected Access monitored 2. Across open public network (Internet, Wifi, GSM Mobile etc) Strong encryption required Data should not be sent via SMS, IM, email etc

PCI Compliance To comply to PCI DSS customers will be looking for the following on their PBX: Redact card details from recordings white noise If they want to store data then store recordings within a secure network Utilise a firewall within the LAN Manage security between PCI and voice and data networks All of the above impact the design and deployment of any telecoms solution. Network topology, wireless access points, managed router & firewall, PBX location. Spitfire will help design a network to ensure compliance is met. This may include additional LANs or vlans with special security polices. Retail company using MPLS Retail company over open network

Financial Conduct Authority (FCA) FCA requires a business to retain records of specific telephone conversations and electronic communications of client order services that relate to the reception, transmission and execution of client orders and proprietary trading. FCA compliance is relevant to all firms that receive client orders and negotiate, agree and arrange transactions across the equity, bond and financial commodity and derivatives markets. Banks, Stockbrokers, Investment Managers, Financial Advisors etc Whereas PCI compliance is about NOT recording specific data, FCA compliance is about recording ALL related data.

FCA Compliance Data Storage Data must be stored for a minimum of 6 months. Sometimes up to 5 years depending on type of data/transaction etc. Data must be accessible to the FCA when they require. It must not be possible for data to be altered or manipulated. Data Transmission All calls discussing clients financial matters must be recorded (encryption required). Reasonable efforts must be made outside a controlled environment to record all financial discussions (mobile phone, golf course).

FCA Compliance To comply to FCA regulations customers will be looking for the following on their PBX : Record and store all telephony data This data must be encrypted so it cannot be altered. Ability to backup and search for this data when required. The above impacts any telephony solution implemented to an FCA regulated business. Network topology, managed router & firewall, PBX location, encryption FCA compliance can only be implemented if both the PBX and LAN topology are appropriately planned. Both must be considered when implementing a telecoms solution. IFA working from a mobile at home

Summary 99% of businesses need to meet some level of compliance. For those maintaining PBX solutions, this compliance liability goes one step further to ensuring your customers PBX is secure etc. Industry specific compliance is more complex so customers must be aware of what standards they are required to meet. It is extremely important to consider the LAN/WAN configuration and telephony solution when adhering to both PCI and FCA compliance. For any customers you feel may not be meeting compliance, please discuss with Spitfire.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback