[EGreg]

Question for cyber pros:

If you are storing sensitive info such as username/password to a TRADING PLATFORM (because the bank -- in this case OZforex -- doesn't have an API that lets you access it without them) what regulations do you need to meet in the USA and Europe? How does one even begin to find this out?

This is for a client of mine. I realize in Europe you'll of course need the GDPR. But besides that, I tried for example to find out whether they need PCI-DSS level 4 but was told by an auditing firm that since they aren't storing CREDIT CARD info then PCI doesn't apply. I am not convinced. But there has to be SOME regulation to protect this data, no?

I would aprpeciate any info, or if there is a way to speak offline (email you?) let me know.