Compliance Recording

The Payment Card Industry (consisting of American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) established the PCI Security Standards Council (PCI SCC) in 2006 in order to create a set of rules for merchants and service providers that accept credit and debit card payments that would minimize payment card data loss (whether malicious or otherwise). It followed this with the Data Security Standard (PCI DSS), which details the security requirements for anyone processing, storing or transmitting cardholder data.

What this means is that if your organization accepts credit or debit cards, it must do so in accordance with the latest standards. And while compliance isn’t a legal requirement, merchants and service providers that don’t comply are in breach or their contract and could have their card acceptance privileges terminated, resulting in likely business losses.

Simply put, according to PCI-DSS, no cardholder data (cardholder name, expiration date, PAN, etc.) should ever be stored unless it’s necessary to meet the needs of your business, and no sensitive authentication data (SAD), which includes card validation codes (CVV2, CVC2, CID, or CAV2), personal identification numbers and/or full magnetic stripe data, may be stored in a digital, audio or video format (such as WAV or MP3) after authorization, even if encrypted.

Fortunately, Oreka TR will pause both screen and audio via API or web user interface while credit card numbers are being received over the phone. This way, no numbers are stored anywhere on the recording system.

For more information, please visit here.

Resource: PCI FAQs and Myths

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is designed to protect sensitive patient information.  In short, it requires organizations to comply with minimum security and privacy standards for health data.  According to the Act, healthcare organizations must “Secure patient records containing individually identifiable health information so that they are not readily available to those who do not need them and are not authorized to view them.”

Oreka TR helps protect your organization and your patients from inadvertently sharing personally identifiable health information that shouldn’t be shared.  With Oreka TR you can restrict access to sensitive data, assign user roles with set permissions and be able to quickly and easily retrieve any call you want within seconds when necessary.

Together, along with audit trail capabilities and time stamping, Oreka TR helps you stay HIPAA compliant.

The Dodd-Frank Wall Street Reform and Consumer Protection Act (known as the Dodd-Frank Act or DFA) was passed to promote financial stability by improving accountability and transparency amongst financial service organizations.

Dodd-Frank introduced extensive record-keeping regulations that significantly changed the requirements for federal financial regulatory agencies and almost all companies in the financial market industry. Dodd-Frank includes regulations that affect a wide range of financial service organizations, with the regulations pertinent to Compliance Recording among the most stringent and important.

The key legislative requirements of Dodd-Frank relevant to Communication Recording are:

• All communications relating to pre-execution trade information must be recorded completely and accurately, including telephone, voicemail, instant messaging, chats, email, and mobile
• Records need to be uniformly time stamped – A record of the date and time, to the nearest minute, must be on every record
• Trading records need to be identifiable and searchable by transaction – All records must be maintained in a manner that is easily searchable, and records must be available for trade reconstruction
• All records must be stored securely and readily accessible – Records need to be stored at the principle place of business or such other principle office, and records must be kept throughout the duration of the transaction, and then retained for up to five years

Oreka TR provides detailed audit trails, time stamping, easy multi-criteria searching capabilities (to find the necessary recordings), and secure storage to help you maintain Dodd-Frank compliance.

The EU have announced new MiFID regulations that will place further restrictions on the financial sector. The extension will expand regulations to new areas of the financial sector and place further restrictions on the storage of recorded calls.

“The revised Markets in Financial Instruments Directive (MiFID II) comes into force in January 2018, and it will regulate the financial services sector with a new, much stricter set of rules around call recording.” (Information Age, March 2017)

Oreka TR has the flexibility and built-in capabilities (i.e. audit trails, time stamping, easy access to recordings, etc.) to help you maintain MiFID II compliance. Specifically, Oreka TR can help you:

• Record 100% of calls or configure the system to selectively record only certain calls.
• Easily search for, retrieve and playback specific calls based on multi-criteria searching and filtering of a long list of variables (time/date, agent ID, caller ID, etc.).
• Store all communications for a minimum of 5 years, or for any duration you choose, using our flexible retention rules capability.

“GDPR (General Data Protection Regulations) is an EU-wide data protection regulation which will come into force in May 2018, replacing all national data protection laws in member states. GDPR is designed to further strengthen the rights of individuals when it comes to organisations collecting, recording and using their personal data, placing greater onus on companies to demonstrate compliance, and increasing the penalties for not doing so.

Businesses wishing to record calls will be required to actively justify legality, by demonstrating the purpose fulfills any of six conditions:

1. The people involved in the call have given consent to be recorded
2. Recording is necessary for the fulfillment of a contract
3. Recording is necessary for fulfilling a legal requirement
4. Recording is necessary to protect the interests of one or more participants
5. Recording is in the public interest, or necessary for the exercise of official authority
6. Recording is in the legitimate interests of the recorder, unless those interests are overridden by the interests of the participants in the call”

Source: Commstrader.com, June 2017, “Call Recording and the GDPR. Preparing for the New Data Laws”

Oreka TR’s flexibility and ease of use will help your organization comply with new GDPR regulations.

Download our Call Recording and GDPR brochure.

Other Resources:

https://www.datacompliancedoctors.co.uk/single-post/2018/01/05/GDPR-statistics-how-prepared-are-SMEs

https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/risk/deloitte-nwe-gdpr-benchmarking-survey-november-2017.pdf

https://activereach.net/newsroom/blog/voice-recording-gdpr-call-recorded-training-purposes/