Information security & compliance

Information Security and Compliance is critical at Telrock. Some of the world’s largest Banks use Telrock to process critical interactions between the Banks and their customers – messages that are vital to both the Bank and its customers.

Telrock and its products are Level 1 PCI audited and certified by an independent QSA (www.7safe.com ).  Registration with Mastercard as a compliant Service Provider can be found here:https://www.mastercard.us/content/dam/mccom/en-us/documents/service-provider-list.pdf

Telrock solutions are private cloud based, within Telrock’s own dedicated private Cloud infrastructure hosted by our hosting partner, Cogeco Peer 1, a global provider of secure hosting services to some 1300 financial services clients. Notably, Telrock do not utilise any public cloud services for Client solutions e.g. AWS services. See www.cogecopeer1.com

Data encryption standards meet PCI V3.2 requirements. Technically this means that TLS (in the Nginx web server) is used for HTTP encryption, and AES 256 encryption (as implemented by Java and MySQL) is used for data storage, with a Data Encryption Key and a Key Encryption Key, with the Key Encryption key stored in two parts with 2 separate key custodians.

All new employees must pass stringent background checks by a specialised third party as part of joining Telrock. All staff are required to complete Security and Privacy training once a year, which covers the Information Security Policies, security best practices, and privacy principles. Client facing Telrock US employees receive training in UDAPP, TCPA and FDCPA.

As part of PCI compliance and as part of security best practices, we conduct regular security scans;

  • 2 weekly external network vulnerability scanning by an independent 3rd party,
  • 2 weekly internal network penetration scanning using AlertLogic,
  • At least annual and as required after major releases, Application Penetration Scans conducted by an independent third-party.

Direct access to infrastructure, networks, and data is minimised to essential and minimum business use only.  Direct access to production resources is restricted to employees requiring access and requires approval, strong multi-factor authentication, and access via a bastion host. All activity on production systems is logged.

Production and non-production networks are segregated. All network access between production hosts is restricted using firewalls to only allow authorized services to interact in the production network.

Telrock maintain a Regulatory Compliance Plan, this plan features;

  • Designed to meet Service Provider provisions of Dodd-Frank Wall Street Reform and Consumer Protection Act
  • Incorporates guidance on contract structuring to satisfy DFWSR &CPA Service Provider provisions
  • Incorporates guidance on oversight of third parties
  • Incorporates guidance on the Safeguards Rule