PCI Compliance, The Basics, by Jubin Pejman, Managing Director of FCM360
The worst cyber theft in history was on July 25, 2013, when Ukrainian and Russian hackers netted $300 million from the theft of 160 million credit card numbers from Visa, J.C. Penney, Jet Blue, and French retailer Carrefour, selling the data for $10-$50 per card. Compare that to your average bank heist that nets $7,500. Dr Anders Corr, Corr Analytics
Cyber theft can occur anywhere along the path that begins when a merchant first comes in contact and interacts with credit card information through moving the data across numerous points in their processes—sharing cardholder information with financial institutions and having the information wind up in data storage. Now if you take away only one point from this article, remember—after authorization, it is folly to store card data unless it is essential to business operation and, in that case, only a few digits of the account number should be exposed.
At each point along the route, private information becomes vulnerable to criminal activity unless the company properly protects it. Fortunately there is a universally accepted standard for protecting credit card information that is administered by the Payment Card Industry Security Standards Council, or PCI SSC. Its Data Security Standard, or DSS creates a secure system that keeps the private cardholder data safe.
PCI credit card security guidelines have been established for any entity with access to cardholder data or other private data that are used to identify the customer for safe interactions. This includes companies that process credit cards to accept payment, those that transmit the information and those that store the data for use later to include merchants, processors, banks and other companies or organizations that come in contact with credit card information during their normal course of business.Companies with access to private cardholder data need to follow specific protocols to meet PCI compliance.
The first is to determine every part of the company’s processes that puts the data at risk and to find potential trouble spots within those processes. The second part is to fix the identified problems by creating processes to keep the information safe and by getting rid of stored data that does not need to be retained. The third part is to document the findings and processes, and to report them to credit card companies and banks.
PCI Compliance Protects Data
The three main goals of Payment Card Industry (PCI) compliance are then broken down into achievable steps. Most importantly, companies need to keep the actual credit card data secure by protecting the stored data in their possession and providing encryption when the data is transmitted over unsafe, unsecured networks.
Beyond the data itself, PCI requirements also focus on a company’s networks and systems that grant people the ability to obtain private information. To have a secure network that provides protection for vulnerable data, companies need a strong firewall setup. It is also essential to change the passwords and other defaults the companies are given by vendors to new ones that are difficult to crack. Passwords such as name of product [vendor] 1234 or 4321 access, admin, anonymous, database, Guest, manager, pass, password root and sysadmin are still being used and are an open invitation to hackers stresses the Council.
To protect their systems from vulnerabilities, companies need to create safe systems and work to keep them that way. They also need to protect their systems from malware and consistently use current anti-virus programs to ward off harmful viruses.
Another PCI goal is to put successful procedures into place to control who can view and use the private credit card data. To achieve this goal, companies need to limit the parties who can retrieve the data, both on site and off. Also, they need to monitor who is accessing the system and have an authentication step before access is granted.
Likewise, the networks under observation have to be checked on a consistent basis for flaws and problems. Toward this aim, the company should test its processes and systems on an ongoing basis to ensure maximum security effectiveness and monitor everyone with access.
Finally, according to PCI protocols, a company responsible for the privacy and security of credit card data needs to have a policy in place concerning this area of the business. The policy should direct the actions of employees in relation to information security, so that every employee knows their obligations.
As new risks, methods or changes in the environment emerge, the council updates the compliance guidelines and companies that deal with cardholder information must keep up with the latest information in the field.
Companies in contact with cardholder information can check to make sure they are compliant with the Payment Card Industry Security Standards Council (PCI-SSC) using the tools that are made available to them. The Council and the credit card companies try to make it easy for merchants and other companies to stay compliant and accountable.
Among the tools available to assist merchants and others are compliance programs offered by the credit card companies themselves. The programs differ depending on the company, so it is important to check the programs of each company with which the merchant works.
In addition, the Council’s Qualified Security Assessors and Approved Scanning Vendors are charged with determining whether companies are in compliance. In some cases, organizations do not have to send reports on their compliance measures and can perform a Self-Assessment Questionnaire to make sure they are acting within the guidelines.
These compliance measures are designed to help companies and organizations follow the PCI Data Security Standard. The overall goal is to protect valuable cardholder information, essential to the consumer and the companies processing transactions.
PCI Security Standards Council was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. with merchants, payment card issuing banks, processors, developers and other vendors participating, according a report by PCI-SSC. The Council offers a variety of programs aimed at helping merchants and others transition to PCI-DSS standards and gain the training they need to launch and manage an effective security program at: www.pcisecurity.org
FCM360 Expands with PCI 3 Compliant Hosting Services
Jubin Pejman, managing director of FCM360, announced the company’s diversification into new products: e-commerce hosting and PCI 3 compliant credit card clearance services at FXIC New York 2015. This signature US event for the forex industry was organized by Shift Forex.
Since its founding, nearly a decade ago, FCM360 has become firmly established as a high-speed, low latency infrastructure provider for FX brokers and traders worldwide. The company’s cloud-based hosting services at the major trading centers NY2/4, LD,4 and TY3 have proven their reliability—there has not been a single minute of downtime, including during hurricane Sandy, which wreaked havoc on Wall Street.
Announcing the launch of its e-Commerce and Credit Card Clearance services, Pejman underscored FCM360’s unique place among the competition. Pejman told some 400 financial industry insiders, “FCM360’s combination of business and financial acumen with technology is a unique benefit for our clients,” adding, “By the time a potential client comes to us they have evaluated at least ten other companies and have become extremely well-educated shoppers. None of the companies they’ve considered could deliver the entire service suite they wanted. By the time they speak with us, they know what they need, and the competition could not deliver.”
Among the competitors vying for a piece of the secure hosting market is Amazon. Pejman dismissed the mega-marketer saying, “Amazon lacks financial cloud services expertise. He told FXIC NY delegates, “When we bring on a new customer, we scale our cloud for their specific business needs, something others cannot do.”
FCM360’s pricing is typically $5,000-$10,000 per month for fully supported services, with contracts ranging from one to three years. According to Pejman, “Amazon is likely to charge $15,000 on top of hosting and tech support fees. I don’t believe Amazon cares about your business.”
Our ideal customer is an ISP software company that wants to connect with their customers. We put them on servers that are collocated with their customers in the same data center. “
During an interview at FXIC NY, Pejman underscored the threats lurking in the e-commerce and credit card clearance environment with the growing number of bad actors including organized criminal enterprises and state-sponsored terrorists.
As a PCI compliant provider, FCM360 adheres to the universally accepted standard for protecting credit card information administered by the Payment Card Industry Security Standards Council, or PCI SSC. Its Data Security Standard, or DSS, creates a secure system that safeguards private cardholder data.
By way of background, The PCI Security Standards Council was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., with merchants, payment card issuing banks, processors, developers and other vendors participating, according a report by PCI-SSC.
Call 212-319-1717 to discuss your Hosting and Financial Cloud needs or visit us at www.FCM360.com
News, Appointments & Events
Forex Summit Newsletter wants to hear from you and your company. We will publish your company news, new career appointments and promotions, and events including seminars, conferences, webinars and speaking engagements.
CurrentDesk just released a new Exposure Monitor for its software line CurrentRisk. Travis Dahm, business development director, tells us Exposure Monitor allows brokers to see and manage portfolio exposure across multiple servers in a single unified view and on a per-asset basis. Click here for details.
Forexware, an end-to-end FX solutions company, now has an arrangement with Shanghai Fu Li Lai Information and Technology Limited to act as an exclusive reseller of Forexware technology to the Chinese market.
The partnership will provide the Chinese market with 24-hour direct onsite support for the full Forexware product suite ranging from startup brokerage kits to full enterprise solutions encompassing back office technology, risk management tools and MAM solutions. FXStarterKit, Forexware’s solution for ambitious entrepreneurs requiring a complete solution for a white label platform is expected to be a driving force for new business in the Asia region, says the company.
Speaking of China markets, the 2015 China (Shanghai) Forex Expo will take place on September 11-13th, 2015 at the Shanghai Mart exhibition hall.
The Shanghai Forex Expo offers traders, brokers, investors, affiliates and IBs an opportunity to promote their Forex business and get direct access to the Forex market in China. More than 60 Forex and binary option exhibitors and Forex media have signed up. Click: China Forex Expo Details.
When it comes to cyber theft China is in the hotseat—the US has accused China of stealing information on 20 million Americans from the Office of Personnel Management, but wants to avoid “escalating cyberconflict,” says The New York Times. Retaliation aside, Boston Global Forum, a think tank founded by Former Gov. Michael Dukakis, and Tuan Anh Nguyen, who opened up Vietnam to the Internet, is campaigning to increase global awareness of the threat of cyber warfare and its consequences. Boston Global Forum will propose practical solutions to prevent cyber warfare, says Nguyen, adding: The think tank, with numerous Harvard professors onboard, is establishing an ethics code of conduct for cyber peace and security by year’s end.
ThinkForex now conducts weekly webinars on a variety of topics to help traders stay informed about all the topics they need to know: market analysis, regulation, ThinkForex’s policies, and more. Every webinar is a unique live event that includes a Q&A session.
ETX Capital’s client list purchase netted 6,000 new customers and $30 million in new assets. Company sources tell us: “Just five months after ETX Capital’s purchase of the client list of Alpari (UK) from the Joint Special Administrators, the deal has already proved to be a significant success for both the company and the former Alpari clients.” ETX Capital serves retail, institutional and high net worth customers with multi-asset and multi-market trading capability through financial spread betting, leveraged Forex, CFD and Binary trading.
ID Global Solutions Corporation (OTC: IDGS), a global payment solutions company, has acquired MultiPay SAS, headquartered in Bogota, Colombia to offer multifunctional payment gateway services to merchants, enterprise businesses and banking institutions in Colombia and Peru. MultiPay provides end-to-end transaction processing technology including, transactional routing, payment gateways, electronic devices management, stored value card programs and mobile financial solutions.
The summer FXIC NY conference introduced Speed Networking this time, with 20 companies and organizations, including Nasdaq, Current Desk, ChartIQ, FCM360 and Investing.com to name few, sponsoring tables for five-minute pitches over two sessions.
The afternoon session, was more sociable, thanks to organizer ShiftForex treating every table to 12 year-old Macallan Whisky. Instead of moving on at the five minute bell, folks lingered. As Ian McAfee, Shift Forex CEO, put it, “If speed networking turns into networking, then so much the better.”
Kiana Danial was also at FXIC NY promoting her book, ‘Invest Diva’s Guide to Making Money in Forex.” (New York, McGraw Hill Education, 2013). Danial bills her book as a step-by-step guide on how the global currency market works; why social, political, and cultural events shape trading; short- and long-term strategies and how to navigate the economic calendar. Danial, who was born and raised in a Jewish family in Iran, experienced being a minority at an early age and again experienced being a minority when she won a scholarship to study economics in Japan. She was the only woman and the only foreigner in her class. Her life goal is to empower women, whom she says, “frequently make smarter, wiser and less risky investment choices than their male counterparts.”
FX News That Matters
CNBC…Asian Stocks Fall Amidst China Worries and Lower Energy Prices. A preliminary Caixin/Markit survey showed activity at smaller factories contracted by the most in 15 months. Meanwhile, the consequences of China devaluing the Yuan are being felt worldwide reports CNBC.
Bloomberg View…Is Greece Doomed? Keeping Greece inside the euro system was a questionable decision—but, having chosen that course, the country’s government and creditors are obliged to make it work. Early signs aren’t encouraging with the stock market tanking and factory production in a slump, says Bloomberg.
VietNam News…If you want to make foreign direct investments (FDI) in Vietnamese companies new rules apply. Says Vietnam News…specific regulations on foreign exchange transactions will bring transparency and make FDI activities more effective. In real estate alone, says the Vietnam government, More than $1.2 billion FDI was channeled into the real estate industry in July, bringing the total figure for this year to $1.69 billion.