Compliance, or the ability to act according to regulations set by external organizations, nowadays is affecting all areas of business. Anywhere365 helps organizations to comply with the following regulations:
- PCI – The Payment Card Industry Data Security Standard is developed by a consortium of credit card companies. Its aim is to secure credit card transactions by ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. Anyone offering their customer to pay by credit card has to be PCI compliant.
- MiFID II – EU’s Markets in Financial Instruments Directive aims at making financial markets in the European Union (EU) more robust and transparent. It creates a new legal framework that better regulates trading activities on financial markets and enhances investor protection. The new rules, called ‘MiFID 2’, revise the legislation currently in place and will apply from January 2018.
- GDPR – EU’s General Data Protection Regulation. GDPR aims to harmonize data protection laws across the EU when it comes into force in May 2018. Superseding national data protection laws it will apply to every organization in the world that does business with EU residents.
Our standard solution already enables compliance with all of these regulations, and due to adaptability of our software and our agile development process we are able to quickly incorporate additional requirements when needed. This article describes our standard solutions.
1. PCI DSS compliant transactions.
Anywhere365 Unified Contact Center is designed and used for communication between customers and organizations. Customers that might place an order while in a call using their credit card. The main PCI concern for this type of exchange is the protection of the card holder data. As Anywhere365 enables recording during all parts of the call, specific measurements have to be taken in order to avoid PCI information to be stored after business is concluded.
1.2. Which PCI DSS requirements relate to Anywhere365?
- Pause recordings: Recording of conversations is not allowed during credit card transactions.
- Shielding: Sensitive authentication data entered via a telephone must be shielded so not be audible.
1.3. Anywhere365 is fully PCI DSS compliant.
- Pause recordings: To comply with the PCI standard Anywhere365 allows Agents to pause recordings when PCI information is exchanged. In addition, Anywhere365 can automatically pause and resume recordings when specific actions are taken that are related to PCI information. If for instance a payment system is opened during a call, Anywhere365 can automatically halt recording and resume when the transaction is completed.
- Shielding: Anywhere365 shields off DTMF dial tones to the Agent when PCI information is entered via dial-pad. This way the distinct sound of each number cannot be recognized when the customer is entering sensitive authentication data like PIN or CCV codes.
2. MiFID II compliant call, chat & video recording
The Financial Services industry in Europe is being confronted with the recasting of the EU’s Markets in Financial Instruments Directive, known as MiFID II. This directive will put into place far-reaching new rules, which aim to strengthen investor protection, prevent market abuse, increase transparency and re-establish consumer trust.
Several areas of the legislation need to be addressed by financial firms. MiFid II article 16 handles regulated recording of calls in securities trading for investor protection. The legislation requires comprehensive and evidence-proof recording and archiving of calls that may result in transactions regardless of the channel: phone, video call, chat or e-mail. The responsibility for these recordings rests solely with the financial institution. Anywhere365 Dialogue Management software for Skype for Business can support financial organizations to comply with MiFid II in this area.
2.2. Which MiFID II requirements related to Anywhere365?
- Document: Record all calls which will/may result in transactions.
- Notify: Notify the customer that the conversation is being recorded.
- Store: Store all communications for a minimum of 5 years (this will be part of customer’s or partner’s data storage compliance procedures).
- Retrieve upon request: Reproduce quickly and easily all communications leading up to a specific transaction or in a given time period.
2.3. Anywhere365 is fully MiFID II compliant.
- Document: Anywhere365 records conversations of all modalities that are handled by the Anywhere365 platform. In addition to recording, specific time-stamps, user-actions, routing, transfers, etc. are stored as well.
- Notify: Anywhere365 provides pre-announcements that conversations are being recorded for quality, training, security & compliancy reasons.
- Store: Anywhere365 follows the data retention policies set by your organization, the storage location can also be adjusted to abide by specific security/compliance regimes.
- Reproduce: Anywhere365’s Dialogue Intelligence suite allows for easy search, retrieval and replay of all recorded conversations, including full “customer journeys” throughout the organization.
3. GDPR compliant call, chat & video recording
EU’s General Data Protection Regulation (GDPR) will totally redesign information assurance control over the EU and will apply to all associations that store information that identifies EU natives, regardless of where they’re geographically based. These laws will set up signiﬁcant and speciﬁc rights for those whose information is unlawfully taken, enabling them to look for remuneration and get their information deleted.
Compensation can be asked from organizations and individuals who are involved in data encroachment, with extensive ﬁnes being issued for any breaches. GDPR compliancy is the responsibility of organizations who store the data as personal data is either stored in their secured environment or in the data warehouse of the hosting partner.
Anywhere365 helps organizations to comply by providing industry proven security mechanisms based 100% on Microsoft solutions.
3.2. Which GDPR rights relate to Anywhere 365?
- Right to access: Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall on request provide a copy of the personal data, free of charge, in an electronic format.
- Right to be forgotten: Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Privacy by Design: Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.
3.3. Anywhere365 is fully GDPR compliant.
- Right to access: Anywhere365 enables pre-announcements that conversations are being recorded for quality, training, security & compliancy reasons. The recordings are stored and can be shared with the data subject as electronic file.
- Right to be forgotten: Call recordings can be deleted on request by Anywhere365 Agents or can be deleted automatically on database level after a predefined period. Furthermore the IVR functionality records consent from the client for the call to be recorded, along with consent for what that recording is being used for. Call data is automatically logged, including originating telephone number. The IVR functionality can provide an option for callers to remain fully anonymous by choice. In that case the call data is stored in an anonymized form. This way the data is still available for analysis while the caller’s right to be forgotten is respected.
- Privacy by design: Anywhere365 records and securely stores interactions in encrypted format. The Anywhere365 Application servers become part of the Skype for Business Topology. As such all traffic is Certificate protected and mandatory TLS encrypted. Also, SQL Server and SharePoint communication is Certificate protected and TLS encrypted. Bitlocker data encryption can be applied. Advanced SQL and SharePoint auditing tools are used for file access monitoring.
Pause recordings of conversations while PCI information is exchanged
Manually (button in extension window)
Automatic after a transfer (for instance when making a transfer to an external payment service)
Automatic when opening a payment system
Shield recording of dial tones while entering credit card information.
End to end recording conversations of all modalities that are handled by the Anywhere365 platform. In addition to recording, specific time-stamps, user-actions, routing, transfers, etc. are stored as well.
Provides pre-announcements that
conversations are being recorded for quality, training, security & compliancy reasons.
Follows data retention policies set by your organization, the storage location can also be adjusted to abide by specific security/compliance regimes.
Provides easy search, retrieval and replay of all recorded conversations, including full “customer journeys” throughout the organization.
Provides pre-announcements that conversations are being recorded for quality, training, security & compliancy reasons.
Allows recordings to be shared with the data subject on request.
Allows Agents to delete call recordings on request
or automatically deletes recordings after a predefined time.
IVR functionality that asks for and logs caller’s consent for recordings.
Option to anonymize call data.
Industry proven security mechanisms based 100% on Microsoft
5. Appendix: Anywhere365 recording features.
Anywhere365 provides evidence–proof recording of calls and other customer communications (e.g. webchat) to help comply with MiFID II and GDPR in terms of call recording requirements. Providing high-availability architecture Anywhere365 ensures all communications are recorded without interruption and securely stored in encrypted format as a voice document at any location of the customer that can be reached by the Anywhere365 environment. Unless, PCI or other requirements dictate the conversation not to be recorded.
Complete customer journey – Anywhere365 records the complete customer journey, from the moment the caller presses dial to the moment they hang-up. Next to the voice recording the data that is stored includes (but is not limited to) metadata:
- Phone number caller (can be anonymized).
- IVR choices
- Transfer details
- Timestamps (incoming, queue, hold, pick-up etc.)
- Sip address Agent
- Agent ID where applicable
- CRM information
Server side Audio recording – The audio path will always be recorded, independent of desktop recording. Works for fixed-fixed, fixed-mobile, mobile-mobile. If the call runs through a UCC, everything is being logged, except video which needs to be configured.
WebChat Recording – In addition to call recording Anywhere365 also offers chat recording. All benefits of the call recording also apply to the WebChat. Next to the complete chat history Anywhere365 will record the following items:
- Customer identity (can be omitted)
- Customer email address (can be omitted)
- CRM data
- IDR automated message and response
- Voice and Audio
- Desktop, Screen, Application or content sharing.
- Meta data, which includes but is not limited to:
- Sip address Agent
- Agent ID where applicable
Server side Chat Recording/storage – Chat recording is always on, server-side, if it runs through a UCC it will be recorded and stored in the SQL Database of Anywhere365
Manual or Automatic Recording Pause – Anywhere365 supports the mandatory pause in the recordings when sensitive information is entered, automatic when the call is transferred to a payment system, or manually by the Agent.
Recording Announcement– Anywhere365 solutions offer a built-in recording notification to help you stay compliant with legal requirements and avoid litigation (available for both inbound and outbound call scenarios). Anywhere365 plays a recording announcement at the beginning of conversation to notify the customers, that the call may be recorded. These messages can be easily adjusted by supervisors and administrators through the Anywhere365 Management portal.
Screen recording – From a compliancy point view the Anywhere365 desktop recording functionality is capable of recording all actions by the Agent, including checking a CRM system and including video. These recordings use the Inflight Snapper client.
With the Anywhere365 Snapper, Agents can enable client side screen recording. Video records are stored as an .mp4 audio/video file and shared to a SharePoint library. The screen of an Agent and all his actions are recorded in HD and can be played back as a video. When enabled, the screen recording starts automatically when a call is accepted and stops automatically when a call is terminated on the Agent’s screen.
Secure Recording and Encryption – Anywhere365 records and securely stores interactions in encrypted format. The Anywhere365 Application servers become part of the Skype for Business Topology. As such all traffic is Certificate protected and mandatory TLS encrypted. Also, SQL Server and SharePoint communication is Certificate protected and TLS encrypted. Bitlocker data encryption can be applied.
Secure Recording Storage – The recording files are stored either on a File Share (UNC Path) or in a SharePoint Document Library. This will be either on customers on premise or at partner’s hosted data center environment.
File Watermarking – Anywhere365 offers a powerful application to validate the authenticity of any recording file, ensuring that call recordings remain unchanged.
High-Availability Architecture – Anywhere365 implements a redundant, high availability architecture to guarantee the recording is always on, thus your business is remaining compliant even in the event of hardware failure.
Flexible Retention Policy – All communications are recorded without interruption and securely stored in encrypted format at any location that can be reached by the Anywhere365 environment. Either on a File Share (UNC Path) or in a SharePoint Document Library. This will be either on customers on premise or at partner’s hosted data center environment. The retention period for call recordings will be configured by customer’s or partner’s administrator.
The retention time can differ per Service Component, per country or per business unit.
Data Replication – The unique data replication functionality helps manage storage and administration costs and centrally store recording data from multiple locations. Customer or partner can configure call or chat recordings to be stored for multiple years.
Data Recovery and Removal – With the Anywhere365 web-portal users with administration rights will be able to easily retrieve the recordings upon request via a user-friendly Anywhere365 web-portal. Authorized users can also remove recordings when requested.
Well-structured and user friendly privileged access – The Compliance Recording Service, provides an individual or seat based service where interactions can be recorded.
Access to data is password-protected and provided to authorized users only. Anywhere365 is a Skype for Business solution so Agents and service accounts use AD, Azure AD or ADFS identities. Role-based access control will be added to the user’s SIP address and allows to define user’s rights, such as playback, live monitoring, administration, coaching and resources access etc.
The recorded and stored interactions can be retrieved on a later date, with a defined retention time for security, compliancy or evidential purposes. Anywhere365 reporting allows full access to each (recorded) conversation, including time-stamps, users, actions, etc. Directly on the SharePoint fileserver environment or via the web based reporting portal. There is no need for additional playback software as call recordings are stored as wav. Files and can be played back accordingly.;
Example is shown below.
Audit Log – All recordings are stored either on a File Share (UNC Path) or in a SharePoint Document Library. SharePoint’s activity tracking system enables full audit logs of all actions performed within the system, such as access to call recording, deletions of files, change of configuration etc. Anywhere365 provides direct access to all recordings through its user friendly web-portal.
Seamless SharePoint Integration – To protect recording documents (voice or chat) within the Anywhere365 architecture, safely stored into SharePoint, use the Rights Management Features of SharePoint Online. This way different Policies can be set on Recordings Files. You can use the audit log reports provided with SharePoint to view the data in the audit logs for a site collection.
You can sort, filter, and analyze this data to determine who has done what with sites, lists, libraries, content types, list items, and library files in the site collection. For example, you can determine who deleted which content.
Advanced Auditing – The following events are available for audit log reports to help you determine who is taking what actions with the content of a site collection:
- Opened and downloaded documents, viewed items in lists, or viewed item properties (This event is not available for SharePoint Online sites)
- Edited items
- Checked out and checked in items
- Items that have been moved and copied to other location in the site collection
- Deleted and restored items
- Changes to content types and columns
- Search queries
- Changes to user accounts and permissions
- Changed audit settings and deleted audit log events
- Workflow events
- Custom events