Business continuity plan Ref:

CONFIDENTIAL Version: 1.0

Date: 30.05.2021
Page: 1/15

Page 1© 2021 BPC Payment Services Plc. Proprietary and Confidential.

 Business continuity plan Ref:
CONFIDENTIAL Version: 1.0
Date: 30.05.2021
Page: 2/15

BPC Payments Services Plc.

Business continuity plan
May 2021

Page 2© 2021 BPC Payment Services Plc. Proprietary and Confidential.

 Business continuity plan Ref:
CONFIDENTIAL Version: 1.0
Date: 30.05.2021
Page: 3/15

TITLE: Business continuity plan

STATUS: Valid
SUBJECT: This document describes the rules, procedures and
requirements for prevention relevant to the emergency
operation of BPC Payments Services Plc.

AUTHOR:
Name Position Date Signature
Andrea Róth-Varga Operations Expert

REVIEWER:
Name Position Date Signature
László Tóth Information Security Manager

APPROVED BY:
Name Position Date Signature
Péter Ilosvai Operation Manager

All rights reserved. Copying the content of the document, in whole or in part, for any purpose
is only permitted with the prior written authorisation of BPC Payments Services Plc.
The data and information contained herein are confidential and have been issued by BPC
Payments Services Plc. to support the work of its own employees and its affiliated consultants
and business partners closely related to the activities of BPC Payments Services Plc. Disclosure
of the contents of the document in whole or in part to any person is only permitted with prior
written authorisation from BPC Payments Services Plc.

Page 3© 2021 BPC Payment Services Plc. Proprietary and Confidential.

 Business continuity plan Ref:
CONFIDENTIAL Version: 1.0
Date: 30.05.2021
Page: 4/15

Contents
1. DOCUMENT MANAGEMENT .................................................................................................................... 6
1.1. RECIPIENTS (DISTRIBUTION LIST) ............................................................................................................ 6
1.2. DOCUMENT HISTORY .............................................................................................................................. 6
1.3. FORECASTING FUTURE CHANGES ............................................................................................................ 6
1.4. OTHER RELEVANT DOCUMENTS AND REFERENCES ................................................................................. 6
1.5. ABBREVIATIONS ...................................................................................................................................... 6
1.6. SUBMISSION OF MISSING DOCUMENTS .................................................................................................. 6
2. GENERAL PART ........................................................................................................................................ 7
2.1. PURPOSE OF THE PLAN ........................................................................................................................... 7
2.2. SCOPE OF THE PLAN ................................................................................................................................ 7
2.2.1. PERSONAL SCOPE OF THE PLAN .............................................................................................................. 7
2.2.2. MATERIAL SCOPE OF THE PLAN ............................................................................................................... 7
2.3. RELATED POLICIES ................................................................................................................................... 7
3. BUSINESS IMPACT ANALYSIS ................................................................................................................... 9
3.1. SERVICE MODEL ...................................................................................................................................... 9
3.2. BUSINESS STRATEGY ............................................................................................................................... 9
3.3. CRITICAL BUSINESS PROCESS ................................................................................................................ 10
3.4. IT AND OTHER RECOURCES REQUIREMENTS ......................................................................................... 10
3.5. ACCEPTED SERVICE LEVEL ...................................................................................................................... 11
3.6. FLOW CHART OF BCP AND DRP ............................................................................................................. 11
3.7. DISASTER OCCURANCE .......................................................................................................................... 12
4. ALTERNATIVE BUSINESS SITE................................................................................................................. 12
5. CONTINUITY PLAN ................................................................................................................................. 12
5.1. DISASTER OCCURRENCE ........................................................................................................................ 13
5.2. PLAN ACTIVATION ................................................................................................................................. 13
5.3. ALTERNATIVE SITE OPERATION ............................................................................................................. 13
6. RECOVERY TEAMS ................................................................................................................................. 13
6.1. TEAM ROLES ......................................................................................................................................... 14
6.2. TEAM CONTACTS................................................................................................................................... 15
1. APPENDIX ............................................................................................................................................. 15
1.1. CONTACT INFORMATION .................................................................... ERROR! BOOKMARK NOT DEFINED.
1.2. EXTERNAL CONNECTIONS ................................................................... ERROR! BOOKMARK NOT DEFINED.

Page 4© 2021 BPC Payment Services Plc. Proprietary and Confidential.

 Business continuity plan Ref:
CONFIDENTIAL Version: 1.0
Date: 30.05.2021
Page: 5/15

2. APPENDIX ............................................................................................................................................. 15

Page 5© 2021 BPC Payment Services Plc. Proprietary and Confidential.

 Business continuity plan Ref:
CONFIDENTIAL Version: 1.0
Date: 30.05.2021
Page: 6/15

1. DOCUMENT MANAGEMENT

1.1. RECIPIENTS (DISTRIBUTION LIST)

● Employees of BPC Payments Services Plc.

1.2. DOCUMENT HISTORY

Vers Date Issued by Change/Comment
ion
1.0 30/05/2021 Péter Ilosvai New document

1.3. FORECASTING FUTURE CHANGES

Any change in any referenced figure will result in a version change in both the document and
the other figures.

1.4. OTHER RELEVANT DOCUMENTS AND REFERENCES

No. Ref. Version Date Title

1.5. ABBREVIATIONS
Abbreviation Explanation/Description
BCP Business Continuity Plan
DRP Disaster Recovery Plan
ICT Information and Communication Technology
MIPOD Minimum Tolerable Period of Disruption

1.6. SUBMISSION OF MISSING DOCUMENTS

Paragraph Description

Page 6© 2021 BPC Payment Services Plc. Proprietary and Confidential.

 Business continuity plan Ref:
CONFIDENTIAL Version: 1.0
Date: 30.05.2021
Page: 7/15

2. GENERAL PART

2.1. PURPOSE OF THE PLAN

The responsibility and the business content of the operation of BPC Payments Services Plc.
(BPC PS) is to develop and provide 7x24 Payment services to its customers regarding payment
card processing management.
Therefore, the continuity of its business is largely dependent on the smooth operation of its
IT systems, including its material, technical and personnel conditions.

The purpose of applying the business continuity procedure is to ensure the operation of
processes related to card services in case of an adverse event (disaster, malfunction).
Alternative processes may need to be put in place from the disruption of operation to the
soonest possible recovery.
Considering that the services of BPC PS are inseparable from IT services, this plan is the part
of the following rules:
● Strategic and operative disaster recovery rules

2.2. SCOPE OF THE PLAN

2.2.1. PERSONAL SCOPE OF THE PLAN

The personal scope of the Plan covers:
● All employees of BPC Payments Services Plc.
● All natural and legal persons in contractual or other types of relationship with the IT
system and services of BPC Payments Services Plc.

2.2.2. MATERIAL SCOPE OF THE PLAN

The material scope of the Plan covers:
● All IT systems (existing or to be developed in the future) supporting bank card business
processes owned or operated by BPC Payments Services Plc. and the system
components that constitute the environment thereof, throughout their full life cycle
(from phase-in to phase-out).
● All BPC Datacenters
● All BPC correspondent offices

2.3. RELATED POLICIES

Related policies and instructions:
 Business continuity policy

Page 7© 2021 BPC Payment Services Plc. Proprietary and Confidential.

 Business continuity plan Ref:
CONFIDENTIAL Version: 1.0
Date: 30.05.2021
Page: 8/15

● Service continuity incident policy

● Security incident policy
● IT security policy

Page 8© 2021 BPC Payment Services Plc. Proprietary and Confidential.

 Business continuity plan Ref:
CONFIDENTIAL Version: 1.0
Date: 30.05.2021
Page: 9/15

3. BUSINESS IMPACT ANALYSIS

3.1. SERVICE MODEL

Service based offerings have been around for many years and as the flexibility and agility of
new technology prove themselves in live environments, choice and complexity
follow. Offering one similar experience across a myriad of channels and devices is something
to do every day. It is something our customers expect to run smoothly and without fail or error.
They may expect the same from us. We untangle the complex, we streamline the payments and
commerce transactions and ring-fence our business and customers. We dedicate a case manager
to our customers, a point of contact for all sales, support and product questions.

Run on technology that ‘fits all’, Radar Payments offers customized services for its customers.
Their required level of service determines the model that works for them. Common practice
where possible, tailor made where needed.

3.2. RADAR PAYMNETS BUSINESS STRATEGY

Developing and maintaining a next-gen payments solution offering for PSPs and SME
focused Fintechs
a) Maintaining the leading position in the functionalities and quality of services and be
the one-stop shop for POS, e-commerce, ATM acquiring and card issuing for any size
of institution
b) becoming an end-to-end Greenfield Digital Bank build service provider for incumbent
banks and financial institutions
c) Developing an SME financial inclusion ecosystem offering full-suite of SME
propositions for unbanked / underbanked / small business -e.g., financing / working
capital, vendor management, inventory management etc.
d) Creating a transportation payments platform (end-to-end payments value-chain
solution vertical)
e) Marketplace offering ‘all in one’ payments and value added services solutions for
corporates incl. CRM, data management, tax / accounting services etc.
f) Increasing presence in Europe / LATAM / Africa and APAC by being opened to even
taking equity holding in start-ups in lieu of service fees

Page 9© 2021 BPC Payment Services Plc. Proprietary and Confidential.

 Business continuity plan Ref:
CONFIDENTIAL Version: 1.0
Date: 30.05.2021
Page: 10/15

3.3. CRITICAL BUSINESS PROCESS

Radar’s BC processes for its 7x24 services

 Process of collecting and authorizing all transactions
 Process of collecting all information from / to Payment networks
 Process for processing all transactions
 Process of generating all clearing and financial reporting and accounting information
 Process of information distribution to customer
 Incident management process
 Change management process
 Release management process

3.4. IT AND OTHER RECOURCES REQUIREMENTS

 Planning and scheduling – The available resources should be allocated effectively.

 Available and required skills – Assessing the skills of each person and whether additional
skills (or people) need to be added
 Resource utilization – Knowing where people are already committed and if those
allocations are appropriate
 Resource capacity – It should be kept in mind the true capacity to do work, recognizing
that not all time can be utilized.
 Resource prioritization and allocation – Identifying those prioritized initiatives that the
most attention and possibly specialized skills

Page 10© 2021 BPC Payment Services Plc. Proprietary and Confidential.
 Business continuity plan Ref:
CONFIDENTIAL Version: 1.0
Date: 30.05.2021
Page: 11/15

3.5. ACCEPTED SERVICE LEVEL

Radar standard Service Levels for it operation services

Priority Code Description Target Response Time Target Resolution Time

P1 Critical <15 minutes < 1 hours
P2 High < 1 hour < 2 Business Days
P3 Medium < 8 hours within working hours < 3 Business Days
P4 Low < 2 Business Days < 10 Business Days
P5 Very Low < 3 Business Days < 15 Business Days

3.6. FLOW CHART OF BCP AND DRP

This level of service should be provided until DRP enters into force.

Page 11© 2021 BPC Payment Services Plc. Proprietary and Confidential.
 Business continuity plan Ref:
CONFIDENTIAL Version: 1.0
Date: 30.05.2021
Page: 12/15

3.7. DISASTER OCCURENCE

Annual rate of occurrence (ARO) is expected number of disaster occurrences during a calendar
year. For rare incidents, it is equivalent to a probability of one or more incidents during a year;
for frequent incidents, it is equivalent to the expected number of incidents per year.

For Radar Payment ARO is 0,25

4. ALTERNATIVE BUSINESS SITE

An organization uses the alternate business site and relocation strategy in the event of a disaster
or disruption that inhibits the continuation of the business processes at the original business
site. This strategy should include both short-term and long-term relocation sites in the case of
both types of disruptions.

In case of Radar for its all critical IT based services Dacenter and office reallocations are
defined and available for 365 days per year.

According to BPC BPC strategy the alternative office site is the coworkers home office

5. CONTINUITY PLAN

In case of disaster situations, like office fire or flood, earthquakes, disastrous incidents or
pandemic situations the COO of Radar call for the actions that the continuity plan takes
effective.
It should be done by written form informing all employees of BPC Payments Services Plc.

At the same time Employees’ home offices must be equipped followings:

 Active wired and mobile internet connections
 office workplace laptop
 during such period communication is vital, therefore employee must be available and
reachable in working hours our according to their planned working shift.

Therefore, all must be online on:

o slack

Page 12© 2021 BPC Payment Services Plc. Proprietary and Confidential.
 Business continuity plan Ref:
CONFIDENTIAL Version: 1.0
Date: 30.05.2021
Page: 13/15

o skype
o email and
o mobile telephone channels

Geo-redundant high availability and operation is also supported by activating the headquarters’
IT and human workforce.

It is tested successfully for COVID-19 especially for the period begin from 8th of March, 2021
with the following additions:

5.1. DISASTER OCCURRENCE

BPC declares a disaster and makes the decision to activate the rest of the recovery plan.

5.2. PLAN ACTIVATION

During this phase, BPC puts the business continuity plan into effect. This phase continues until
the company secures the alternate business site and relocates the business operations.

5.3. ALTERNATIVE SITE OPERATION

This phase continues until the business can restore the primary facility.

6. RECOVERY TEAMS

The company establishes recovery teams and divides the participants into appropriate groups
based on job role and title. The organization designates a team leader for each team. It assigns
a specific role or duty to each remaining member of the team.

Page 13© 2021 BPC Payment Services Plc. Proprietary and Confidential.
 Business continuity plan Ref:
CONFIDENTIAL Version: 1.0
Date: 30.05.2021
Page: 14/15

6.1. TEAM ROLES

Involving subcontractors, BPC PS maintains a disaster recovery and incident management
organization, which is available to the Disaster Recovery Group non-stop, i.e. providing a
7/24/365 service.

Members of the group:

 Incident manager
His/her task is to coordinate the troubleshooting of the fault or disaster incidents and to
control elimination of their effects. He/she has the power to decide on how to resolve
the issue, take action on system/device access permissions while in compliance with IT
security rules when this is required by the method or process of troubleshooting.
 Operations shift manager
His/her task is to support Incident manager’s work, i.e. to participate in identifying the
cause of the incident and developing potential remedies. He/she performs application-
level operations in the specific systems according to the Incident manager’s
instructions.
 Application administrator
He/she is tasked with supporting Incident manager's work, use his/her expertise to help
identify the cause of the incident and develop potential remedies. Performs the required
system and database modifications according to Incident manager’s instructions.
 Network administrator
He/she is tasked with supporting Incident manager's work, use his/her expertise to help
identify the cause of the incident and develop potential remedies. Performs the necessary
network troubleshooting activities as instructed by Incident manager.
 Database administrator
He/she is tasked with supporting Incident manager's work, use his/her expertise to help
identify the cause of the incident and develop potential remedies. Performs the necessary
network troubleshooting activities as instructed by Incident manager.

The Disaster Recovery Group staff perform their tasks in a duty-tracking system, the duty
assignment has to be prepared for one month in advance and brought to the attention of those
concerned. See Disaster Assessment Appendix 2.

The detailed regulation of the group’s operation is contained in the ‘BPC PS Service Incident
Management Document’.

Page 14© 2021 BPC Payment Services Plc. Proprietary and Confidential.
 Business continuity plan Ref:
CONFIDENTIAL Version: 1.0
Date: 30.05.2021
Page: 15/15

6.2. TEAM CONTACTS

Stored in the Contact List Appendix

1. APPENDIX

It is constantly being updated:

https://confluence.bpcbt.com/display/BPayS/Operational+contacts

2. APPENDIX

Disaster Assessment

Page 15© 2021 BPC Payment Services Plc. Proprietary and Confidential.