“Just because someone else isn’t doing it, doesn’t mean we shouldn’t.”
—Privacy, Security and Swift
It feels like reports of security breaches are constantly populating the news every day—with new sets of consumer credit card numbers being compromised and personal data records hacked. As a Visa® and MasterCard® prepaid program manager, we fully understand the responsibilities we have, and have taken every precaution to assure our clients and their cardholders that their information is secure.
Know your business. Know your customer.
Our security processes start before we even begin to work with a new client. Our on-boarding practices include performing thorough background checks, making sure we understand our potential client’s industry, ownership structure, value proposition and more. Only when we have 100% confidence in the companies we do business with, and their leadership, do we proceed. Otherwise, we walk away. We use respected fact-checking entities and adhere to 2 + 2 verification (checking two different pieces of information, verified by two independent sources) to ensure accuracy when vetting our clients and their partners.
These protocols aren’t merely important for our piece of mind, and yours, but that of the financial institutions we work alongside, who (rightfully) demand that we demonstrate our due diligence.
We perform equal precautions with cardholders. Under FinCEN (Financial Crimes Enforcement Network) and European e-money regulations, cardholders that breach certain thresholds must provide, and we must validate, identities through multiple sources of identification (such as a driver’s license, passport, and a utility bill). We continue cardholder security measures through the life of a program, and through each cardholder’s participation. We work with outside companies to check every card account against potential fraud, terrorism (via OFAC, the Office of Foreign Assets Control), PEP (Politically Exposed Persons) list verifications, and other security risk protocols. This thorough checking occurs when cardholder accounts are created, when funds are first issued, and again every month until expiration. In regular examinations of potential clients and partners, we even check for criminal records, address and phone number changes, employment status and much more.
Banks and card processors have numerous certifications and guidelines available to them; some are mandatory, many are not. But Swift doesn’t believe security should be optional. That’s why we adhere to the strictest safety regulations. For example, Swift has always adhered to HIPAA compliance standards, however, we will be going through a third-party assessment for formal HIPAA (The Health Insurance Portability and Accountability Act) Business Associate Compliance certification . This process sets expectations and rules regarding protected health information (PHI) in order to ensure that all the required physical, network and process security measures are in place and followed. Additionally, we have long been a Level One service provider under the strict Payment Card Industry Data Security Standards (PCI), which are a set of requirements designed to ensure we maintain a secure environment for handling and transmitting payment card information. This standard covers file integrity monitoring, data retention, physical and logical security checks, among many other security protocols.
Swift’s 2015 month’s-long PCI Audit was conducted based on the revised and enhanced guidelines as determined by PCI-DSS version 3.1. The shift focused the attention on documentation in order to determine how events are managed and identified across the PCI infrastructure. Over the past 12 months, Swift has invested heavily in event log management, vulnerability scanning, change control documentation, and internal and external penetration testing to ensure we maintain the best practices when it comes to information security. Significant efforts toward “vulnerability scanning” and “penetration testing” were put in place as part of our third-party PCI audit and certification process. A vulnerability assessment uses automated tools to look for known vulnerabilities across defined IP address ranges such as unpatched or misconfigured systems. Penetration testing goes a step further. A penetration tester—such tests are always carried out by a person, not automated—will scan systems to identify the IP addresses, device types, operating systems and software in use. This enables the tester to identify likely vulnerabilities, which they will try to exploit to identify and evaluate weaknesses in networks and applications. Swift passed with flying colors across all of its production and test environments, and across every internal and external hosted environment. These requirements and certification process were also carried through to all downstream Swift suppliers that are a part of delivering prepaid products on behalf of Swift and its client partners. Feel free to request an electronic copy of Swift’s PCI Attestation of Compliance (AOC).
Swift also performs rigorous internal monitoring to ensure we are not vulnerable to outside threats. Every month we check our Firewall rule sets, security protocols, and ensure there are no rogue access points. For example, we track every logon attempt into our systems, every flash drive entering a USB port and provide constant and recurring security training for our team. We are alerted of every failed authentication attempt into any of our systems instantaneously. Swift is well aware that it’s what people don’t know that often leads to potential trouble. For example, did you know outside sources could gain access to your system through one of your printers or copiers? If your copier is tied into your network, or stores sensitive information such as email addresses for file sharing, a malicious attacker can easily gain entry. At Swift, we make sure all guidelines are meticulously followed—and we must prove any exceptions cannot be compromised as part of our PCI requirements.
Also, every piece of data in our system is encrypted, in storage and in transmission. So even if our data were to somehow become compromised, it would be unreadable without our unique decryption keys.
Who are you?
We never assume anything. We can’t afford to, and our clients and cardholders feel secure knowing we have taken every precaution. When our own employees need to access data, they need to authenticate themselves with both flash drive-stored PGP keys, and a unique password. Without both tools, our own employees cannot access our systems.
When it comes to data security, we don’t take any chances. That’s why each of our servers is dedicated to only one specific function and are physically separated. Sure, this costs a lot more to house and maintain, but if a security breach or software failure were to occur, only a small subset of information can be marred or infected. For example, our database is stored in one standalone server, our web services in another, our domain controllers in yet a third, accounting software in another, firewalls are in their own stand-alone appliances, as are intrusion detection and prevention, and so on.
Your privacy is our business
Nothing is more important than cardholder privacy. Swift has long held Safe Harbor certification, meaning we adhere to EU rules and regulations regarding data protection. In essence, we protect cardholder personal data with the highest level of safeguards. We also adhere to the Gramm-Leach-Bliley Act (GLB), which protects the cardholders’ personal nonpublic information and requires Swift to explain the information collected about a cardholder, where that information is shared, how that information is used, and how that information is protected.
What does this mean to me?
You will likely never know about all of our safeguards. That’s the goal: to work behind the scenes so you never need to worry about, or even think about, your security and cardholder privacy. We provide peace of mind—and the strict protocols needed, to maintain it. You can give your cardholders the same satisfaction.