Frequently Asked Questions regarding coming improvements to payments and receivables advising

Frequently Asked Questions regarding security enhancements to payment and receivables advising

Contents

General Questions and Answers
SecureMail Questions and Answers
Forced TLS Questions and Answers

General Questions and Answers

1. Why is HSBC doing this?
HSBC takes information security seriously and we want to ensure the handling of our customers’ data is of the highest possible security standards. Therefore, we have taken a proactive and standardised approach to set a global standard within HSBC to encrypt all email advising, and/or to mask the sensitive information within which could pose a risk to our customers, business partners, clients or HSBC.

2. What is HSBC’s security policy on e-mail advising?
Security is a high priority for HSBC, especially when dealing with customers and business partners’ information. It is HSBC’s security policy to encrypt all email advices, and/or to mask the sensitive information within which could pose a risk to our customers, business partners, clients or HSBC.

3. What information is classified as sensitive (“Restricted” and “Highly Restricted”) information on the Email Advising?
Account Numbers, Debiting/Remitter Account Name, Crediting Account Name, Payor Name and Beneficiary Name are all classified as sensitive data and will therefore be secured via data masking and/or encryption if sent via email.

4. What are the available security options under the new arrangement for E-mail Advising?
Under the new arrangement, if Forced TLS is in place for the recipient, the recipient will receive the e-mail advising via Forced TLS as per their current set up. There will be no change.

Where Forced TLS is not in place, one of the following options is available,

Option 1 – An unencrypted email with restricted information masked;
Option 2 – An encrypted e-mail (using Voltage SecureMail) with information displayed in full; or
Option 3 – Two emails -- one unencrypted and another one encrypted.

The default setting will be Option 1 under which all advices will be sent out in unencrypted form with information masked. If you would like to change the setting to either Option 2 or Option 3, it can be done at Customer ID level and Recipient level. For more information on how this is done, please refer to the Encrypted advice set up procedure.

5. What do I need to do to receive new secured e-mail advising?
Option 1 (unencrypted e-mail with restricted information masked) will be set up as the default for you from September 2014. Unless you or your advising recipient would like to change this default setting to Option 2 or 3, there is no further action required.

6. What is the difference between the masked version of e-mail advising (Option 1) and the current version?
The overall format of the e-mail advice has not changed. The change will be on the sensitive information such as Account Number, Debiting/Remitter Account Name, Crediting Account Name, Payor Name and Beneficiary Name, which will have 50% of the characters masked.

7. Can the recipient request for a resend of the advice with full set of information in encrypted form (Option 2) if they find the masked version (Option 1) insufficient?

Yes. The recipient can send an e-mail request to requestsecuremail@hsbc.com quoting the advice reference number in the subject field of the e-mail (for example: Ref: [XXXXXXXXXXXX]). The entire e-mail subject can be used as well. As long as the data string Ref:[XXXXXXXXXXXX] is found in the subject of the e-mail, it will automatically trigger a resend of the advice with full set of information in encrypted form (Option 2). .

8. How can I change the default setting from Option 1 to Option 2 or 3?
To change the default setting, please contact your HSBC representative.

9. If I only want to send out a particular version of advices (either Option 1, 2 or 3) for selected recipients, how can this be set up?
Recipient / Transaction level setting is supported regardless of the default set up.

For Payment Advising, this can be set up via the payment files (i.e., that are uploaded via HSBCnet) or through the payment creation tool via HSBCnet.

For Receivables Advising, this can be set up via the receivables advising recipient file or the HSBCnet receivables advising set up tool.

For more information, please contact your HSBC representative.

10. For Payments Advising, do all payment file layouts allow recipient / transaction level setting of the secure e-mail preference?

Paymul, iFile, iDoc, ANSI820 and HSF file layouts support recipient / transaction level setting of the secure e-mail preference.

XML v2 and XML v3 payment file layouts do not cater to recipient / transaction level setting of the secure e-mail preference. To adhere to ISO20022 standards, the XMLv2 and XMLv3 payment file layouts cannot contain non-standard code words that can help to indicate the various secure email options. For XML payment files, the secure e-mail preference can only be set up at customer ID level.

For more information, please contact your HSBC representative.

11. What is the reason for providing option 3 (to send both e-mail versions)?
For most recipients, the masked advice will be sufficient, however, in certain situations, some recipients may need the full details of the advice without masking, i.e. option 2. Therefore, option 3 is provided to allow recipients to receive both versions of the advices if needed regularly.

SecureMail Questions and Answers

12. Is the Voltage SecureMail (SecureMail) solution suitable for everyone?

Messages sent via SecureMail can be received securely by any e-mail application such as Outlook, Outlook Express or Thunderbird or a web based email application such as Gmail, Hotmail or Yahoo. To view the secure message, recipients must also have access to a web browser.

13. Will using SecureMail cost the recipient of the e-mail?
There are no cost implications to receive e-mails encrypted by SecureMail.

14. Will the e-mail recipient have to download or purchase any software to receive secure email via SecureMail?
There are no requirements to download or purchase any new software when using SecureMail.

15. How will the recipient know the e-mail has come from HSBC via SecureMail?
It is always good security practice to inform your intended recipient that you are going to start sending them secure email encrypted by SecureMail. Also, every e-mail that your recipient receives via SecureMail will contain the same anti-phishing image that is assigned to them on their first secure message notification email.

16. Can the recipient’s company set up one SecureMail account for all their employees?
For security and technical reasons, each recipient of the e-mail must have a SecureMail account to ensure the e-mail is going to the authorised individual. Therefore the company cannot set up one SecureMail account for all employees.

If the e-mail is sent to a shared email account, the owner of the account will need to set up a SecureMail account and share the account access details in accordance with their company security policies.

17. What about the possibility of SecureMail being blocked by Spam filters?
Spam filters work in different ways. They may filter e-mails by looking at the e-mail header, subject line, e-mail content or simply looking at the frequency the e-mail is received from a source that you have not authorised. Depending on the spam filter used by the recipient’s e-mail service provider,e-mail from HSBC that is encrypted by SecureMail may be blocked or placed in their junk/spam mail.

If the recipient is expecting an e-mail but does not see it in their inbox, they should firstly check their junk/spam box or, if they have received notification that an e-mail has been blocked, they should check the sender’s e-mail address. If they trust the source then they should continue to retrieve the e-mail in the way that they normally do. The recipient may also need to change the settings on their e-mail filter to permit such messages. For example, some settings prevent encrypted e-mail being received.

18. Can my recipient read emails encrypted by SecureMail on their Smartphone e,g. BlackBerry or iPhone?
SecureMail messages are designed to be read from desktop or laptop computers only. Depending on their phone browser, the recipient may still be able to access the message from their Smartphone however; this is not recommended or supported by HSBC.

Forced TLS Questions and Answers

19. What is Forced TLS?
Transport Layer Security (TLS) is a mail server feature which, once enabled encrypts the transmission of electronic mail from one organisation to another over the Internet. Forced TLS is a configurable TLS policy setting which ensures the email is only sent if the e-mail can be transmitted securely. See the TLS user guide for further information available from:

http://www.hsbc.com/online-security/secure-email-and-tls.

20. Who is Forced TLS suitable for?
Transport Layer Security (TLS) is installed/configured on the e-mail servers and therefore it is normally used by commercial/business organisations. TLS is fast becoming an industry standard and is now supported by the majority of mail server applications. HSBC has joined a growing number of organisations that have implemented it.

In order to use Forced TLS, the recipient’s e-mail server must be configured to accept TLS e-mail traffic and we must have their e-mail domains listed as Forced TLS enabled. Such customers/partners will be organisations that can manage their own e-mail infrastructure and have their own e-mail domain e.g. @hsbc.com. Where TLS cannot be configured, it will not be possible to use Forced TLS. For example, those who will not be able to use Forced TLS are users of web based e-mail services such as Hotmail or Gmail.

Your e-mail recipient may use a Third Party e-mail processor such as Message Labs to manage their e-mail and therefore, the Third Party e-mail processor may be able to set up a TLS connection between HSBC and the external email recipient’s company. The external email recipient or a representative from their company will need to speak to their Third Party e-mail processor for further advice.

21. Will using TLS cost the recipient of the email?
To send or receive e-mails securely via TLS, the recipients e-mail server must be configured to accept TLS e-mail traffic. There may be a cost to the recipient if either their current email server does not support TLS and new software needs to be purchased or they need to pay for IT work to configure their existing email server. Once the appropriate work has been done the only ongoing cost will be for the yearly renewal of security certificates. Recipients will not be charged per secure e-mail they send or receive once TLS is implemented.

22. Will the recipient have to download or purchase any software to use TLS?
The correct server software is required to implement Transport Layer Security (TLS) on e-mail servers. The recipient may need to purchase new software if their current e-mail infrastructure does not support TLS or, if the recipient’s company is using a third party to manage their e-mail, they may need to negotiate the use of TLS connections with the third party.

23. How will the recipient view the secure message if it is encrypted by Forced TLS?
Recipients who receive an e-mail encrypted by Forced TLS will not need to take any specific action. The message will be delivered decrypted to their email inbox like any other e-mail.

Please do not reply to this e-mail.

Our postal address:
HSBC Group Head Office
8 Canada Square
London UK E14 5HQa

You received this e-mail notification because you are a registered User of HSBCnet. Should you have any concerns regarding the validity of this message, please contact your local HSBCnet customer support.

We maintain strict security standards and procedures to prevent unauthorised access to information about you. HSBC will never contact you by e-mail or otherwise ask you to validate personal information, such as your Username, Password or account numbers. If you receive such a request, please call your local HSBCnet customer support. Links within our e-mails will only take you to information pages.

If you wish to unsubscribe from receiving service information from HSBCnet, please click here.

© Copyright. HSBC Bank plc 2014. All rights reserved.

Privacy & Data Protection Statement | Terms & Conditions




	Frequently Asked Questions regarding security enhancements to payment and receivables advising Contents General Questions and Answers SecureMail Questions and Answers Forced TLS Questions and Answers General Questions and Answers 1. Why is HSBC doing this? HSBC takes information security seriously and we want to ensure the handling of our customers’ data is of the highest possible security standards. Therefore, we have taken a proactive and standardised approach to set a global standard within HSBC to encrypt all email advising, and/or to mask the sensitive information within which could pose a risk to our customers, business partners, clients or HSBC. 2. What is HSBC’s security policy on e-mail advising? Security is a high priority for HSBC, especially when dealing with customers and business partners’ information. It is HSBC’s security policy to encrypt all email advices, and/or to mask the sensitive information within which could pose a risk to our customers, business partners, clients or HSBC. 3. What information is classified as sensitive (“Restricted” and “Highly Restricted”) information on the Email Advising? Account Numbers, Debiting/Remitter Account Name, Crediting Account Name, Payor Name and Beneficiary Name are all classified as sensitive data and will therefore be secured via data masking and/or encryption if sent via email. 4. What are the available security options under the new arrangement for E-mail Advising? Under the new arrangement, if Forced TLS is in place for the recipient, the recipient will receive the e-mail advising via Forced TLS as per their current set up. There will be no change. Where Forced TLS is not in place, one of the following options is available, Option 1 – An unencrypted email with restricted information masked; Option 2 – An encrypted e-mail (using Voltage SecureMail) with information displayed in full; or Option 3 – Two emails -- one unencrypted and another one encrypted. The default setting will be Option 1 under which all advices will be sent out in unencrypted form with information masked. If you would like to change the setting to either Option 2 or Option 3, it can be done at Customer ID level and Recipient level. For more information on how this is done, please refer to the Encrypted advice set up procedure. 5. What do I need to do to receive new secured e-mail advising? Option 1 (unencrypted e-mail with restricted information masked) will be set up as the default for you from September 2014. Unless you or your advising recipient would like to change this default setting to Option 2 or 3, there is no further action required. 6. What is the difference between the masked version of e-mail advising (Option 1) and the current version? The overall format of the e-mail advice has not changed. The change will be on the sensitive information such as Account Number, Debiting/Remitter Account Name, Crediting Account Name, Payor Name and Beneficiary Name, which will have 50% of the characters masked. 7. Can the recipient request for a resend of the advice with full set of information in encrypted form (Option 2) if they find the masked version (Option 1) insufficient? Yes. The recipient can send an e-mail request to requestsecuremail@hsbc.com quoting the advice reference number in the subject field of the e-mail (for example: Ref: [XXXXXXXXXXXX]). The entire e-mail subject can be used as well. As long as the data string Ref:[XXXXXXXXXXXX] is found in the subject of the e-mail, it will automatically trigger a resend of the advice with full set of information in encrypted form (Option 2). . 8. How can I change the default setting from Option 1 to Option 2 or 3? To change the default setting, please contact your HSBC representative. 9. If I only want to send out a particular version of advices (either Option 1, 2 or 3) for selected recipients, how can this be set up? Recipient / Transaction level setting is supported regardless of the default set up. For Payment Advising, this can be set up via the payment files (i.e., that are uploaded via HSBCnet) or through the payment creation tool via HSBCnet. For Receivables Advising, this can be set up via the receivables advising recipient file or the HSBCnet receivables advising set up tool. For more information, please contact your HSBC representative. 10. For Payments Advising, do all payment file layouts allow recipient / transaction level setting of the secure e-mail preference? Paymul, iFile, iDoc, ANSI820 and HSF file layouts support recipient / transaction level setting of the secure e-mail preference. XML v2 and XML v3 payment file layouts do not cater to recipient / transaction level setting of the secure e-mail preference. To adhere to ISO20022 standards, the XMLv2 and XMLv3 payment file layouts cannot contain non-standard code words that can help to indicate the various secure email options. For XML payment files, the secure e-mail preference can only be set up at customer ID level. For more information, please contact your HSBC representative. 11. What is the reason for providing option 3 (to send both e-mail versions)? For most recipients, the masked advice will be sufficient, however, in certain situations, some recipients may need the full details of the advice without masking, i.e. option 2. Therefore, option 3 is provided to allow recipients to receive both versions of the advices if needed regularly. SecureMail Questions and Answers 12. Is the Voltage SecureMail (SecureMail) solution suitable for everyone? Messages sent via SecureMail can be received securely by any e-mail application such as Outlook, Outlook Express or Thunderbird or a web based email application such as Gmail, Hotmail or Yahoo. To view the secure message, recipients must also have access to a web browser. 13. Will using SecureMail cost the recipient of the e-mail? There are no cost implications to receive e-mails encrypted by SecureMail. 14. Will the e-mail recipient have to download or purchase any software to receive secure email via SecureMail? There are no requirements to download or purchase any new software when using SecureMail. 15. How will the recipient know the e-mail has come from HSBC via SecureMail? It is always good security practice to inform your intended recipient that you are going to start sending them secure email encrypted by SecureMail. Also, every e-mail that your recipient receives via SecureMail will contain the same anti-phishing image that is assigned to them on their first secure message notification email. 16. Can the recipient’s company set up one SecureMail account for all their employees? For security and technical reasons, each recipient of the e-mail must have a SecureMail account to ensure the e-mail is going to the authorised individual. Therefore the company cannot set up one SecureMail account for all employees. If the e-mail is sent to a shared email account, the owner of the account will need to set up a SecureMail account and share the account access details in accordance with their company security policies. 17. What about the possibility of SecureMail being blocked by Spam filters? Spam filters work in different ways. They may filter e-mails by looking at the e-mail header, subject line, e-mail content or simply looking at the frequency the e-mail is received from a source that you have not authorised. Depending on the spam filter used by the recipient’s e-mail service provider,e-mail from HSBC that is encrypted by SecureMail may be blocked or placed in their junk/spam mail. If the recipient is expecting an e-mail but does not see it in their inbox, they should firstly check their junk/spam box or, if they have received notification that an e-mail has been blocked, they should check the sender’s e-mail address. If they trust the source then they should continue to retrieve the e-mail in the way that they normally do. The recipient may also need to change the settings on their e-mail filter to permit such messages. For example, some settings prevent encrypted e-mail being received. 18. Can my recipient read emails encrypted by SecureMail on their Smartphone e,g. BlackBerry or iPhone? SecureMail messages are designed to be read from desktop or laptop computers only. Depending on their phone browser, the recipient may still be able to access the message from their Smartphone however; this is not recommended or supported by HSBC. Forced TLS Questions and Answers 19. What is Forced TLS? Transport Layer Security (TLS) is a mail server feature which, once enabled encrypts the transmission of electronic mail from one organisation to another over the Internet. Forced TLS is a configurable TLS policy setting which ensures the email is only sent if the e-mail can be transmitted securely. See the TLS user guide for further information available from: http://www.hsbc.com/online-security/secure-email-and-tls. 20. Who is Forced TLS suitable for? Transport Layer Security (TLS) is installed/configured on the e-mail servers and therefore it is normally used by commercial/business organisations. TLS is fast becoming an industry standard and is now supported by the majority of mail server applications. HSBC has joined a growing number of organisations that have implemented it. In order to use Forced TLS, the recipient’s e-mail server must be configured to accept TLS e-mail traffic and we must have their e-mail domains listed as Forced TLS enabled. Such customers/partners will be organisations that can manage their own e-mail infrastructure and have their own e-mail domain e.g. @hsbc.com. Where TLS cannot be configured, it will not be possible to use Forced TLS. For example, those who will not be able to use Forced TLS are users of web based e-mail services such as Hotmail or Gmail. Your e-mail recipient may use a Third Party e-mail processor such as Message Labs to manage their e-mail and therefore, the Third Party e-mail processor may be able to set up a TLS connection between HSBC and the external email recipient’s company. The external email recipient or a representative from their company will need to speak to their Third Party e-mail processor for further advice. 21. Will using TLS cost the recipient of the email? To send or receive e-mails securely via TLS, the recipients e-mail server must be configured to accept TLS e-mail traffic. There may be a cost to the recipient if either their current email server does not support TLS and new software needs to be purchased or they need to pay for IT work to configure their existing email server. Once the appropriate work has been done the only ongoing cost will be for the yearly renewal of security certificates. Recipients will not be charged per secure e-mail they send or receive once TLS is implemented. 22. Will the recipient have to download or purchase any software to use TLS? The correct server software is required to implement Transport Layer Security (TLS) on e-mail servers. The recipient may need to purchase new software if their current e-mail infrastructure does not support TLS or, if the recipient’s company is using a third party to manage their e-mail, they may need to negotiate the use of TLS connections with the third party. 23. How will the recipient view the secure message if it is encrypted by Forced TLS? Recipients who receive an e-mail encrypted by Forced TLS will not need to take any specific action. The message will be delivered decrypted to their email inbox like any other e-mail.



Please do not reply to this e-mail. Our postal address: HSBC Group Head Office 8 Canada Square London UK E14 5HQa You received this e-mail notification because you are a registered User of HSBCnet. Should you have any concerns regarding the validity of this message, please contact your local HSBCnet customer support. We maintain strict security standards and procedures to prevent unauthorised access to information about you. HSBC will never contact you by e-mail or otherwise ask you to validate personal information, such as your Username, Password or account numbers. If you receive such a request, please call your local HSBCnet customer support. Links within our e-mails will only take you to information pages. If you wish to unsubscribe from receiving service information from HSBCnet, please click here. © Copyright. HSBC Bank plc 2014. All rights reserved. Privacy & Data Protection Statement \| Terms & Conditions