10

There are a lot of questions on storing credit card information, and of how PCI SSC/PA-DSS regulations apply to such activities and systems. I have read a lot of these, but my question relates to a different question that may or may not have anything to do with PCI compliance.

My question is specifically, what are the implications of storing sort-codes and account numbers online, considering we are not taking any kind of payment. So, nothing to do with using the information to make payments through the system, but using the information to enable other users who have access to the system to make payments.

I have taken a look at this question: Is PCI DSS applicable to other solutions than those dealing with payment cards?, but I really need to know the regulations and what is mandatory.

I understand that if we did have payment provision on the website we are developing, then the storage of account numbers would affect the level of PCI compliance we would need to adhere to.

Currently we are adhering to what would be considered security 'best practices', so using SSL, encrypting information in the db, dedicated server with hardware firewall etc., but these 'best practices' are from an internal point of view of a development team. I know the software in PCI compliance is only one part of overall security regulations. Outside of PCI compliance, is there, for example, a definitive set of rules for storing sensitive information? Are we for example obligated to adhere to ISO 27001 standards? Who defines what information is considered 'sensitive'.

The general consensus regarding PCI compliance and the handling of credit cards, is if you need to ask then you shouldn't be doing it. I'm not necessarily asking whether or how we can do it or not, but whether anyone has experience of this, and whether we need to engage a 3rd party consultant who specialises in such areas.

JonB
  • 203
  • 2
  • 6

2 Answers2

7
  1. If you're not handling credit cards, debit cards or other related payment cards, PCI does not apply to you in the sense that you are not beholden to follow its requirements in any way. PCI is "enforced" by the business relationships between merchants, acquirers, and issuing banks; if you aren't handling cards, you don't have those relationships.
  2. Because the PCI standard "represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information", it is useful and relevant to sort codes, bank routing numbers, and account numbers. However, it also assumes an environment (generally, cardholder data in transactional motion) which may not apply, so as someone said in the other post you linked, parts of PCI may be irrelevant or counterproductive for your particular problem.
  3. It cannot hurt you to talk to your bank about any advice or regulations they consider relevant. Where you use the term "sort codes" I assume you're in Europe, and I have no idea what other regulations - consensual or governmental - would apply to you.
  4. The bottom line is, PCI is common sense security, and even if holding non-PCI account data you'd be smart to follow any applicable parts while being careful to understand what doesn't apply to your situation. PCI is also a lowest-common-denominator standard, so you should continue to improve your security from there. Good luck!
gowenfawr
  • 72,355
  • 17
  • 162
  • 199
  • That's really helpful. I am thinking that point 3 is critical. Going on what Jeff has said about contracts, and what you have said about relationships, if I were to say to 1000 people, let me store your c/card numbers online for you and not do anything with them, and they agreed, and then the site I was storing them on was hacked, who would be liable? Who would prosecute? I am not in a contract with a bank so they wouldn't(?). If it was a person I had talked to, then I could argue that (as long as I could prove it) they agreed to me putting their information online... – JonB Aug 12 '11 at 14:18
  • 1
    Following PCI regardless of what you are storing is good advice, but what it comes down to is other regulations that could be invoked in a case where something goes wrong. If I followed PCI compliance I could argue that I did everything to prevent the information being hacked, but that doesn't sound bulletproof, which worries me slightly. It sounds like it comes down to getting proper legal advice. – JonB Aug 12 '11 at 14:20
  • Firstly, you would be liable, but there would be no prosecution - that's for civil or criminal offenses. You would probably be sued by the individuals. Even if you were under PCI scope, it would still be a matter of lawsuits instead of prosecution. So it's a matter of you doing due diligence to protect the information, and hoping it would be sufficient in court should the worst happen. PCI compliance might help, just because it has prestige, but nothing will provide absolute protection. There is insurance coverage for this sort of thing, as a final layer of protection. – gowenfawr Aug 12 '11 at 14:28
  • Ok, that is interesting - ultimately it could come down to insurance, and I assume an insurer is only going to give you cover if they think we have done everything we can to protect the data. Hence, PCI compliance would be the best way of demonstrating this. – JonB Aug 12 '11 at 14:37
  • 1
    Yes, it's fair to say that PCI compliance has the advantage of being reasonably easy to audit, verify, and that it lends some credence, even if you aren't subject to it via any contractual relationship. – gowenfawr Aug 12 '11 at 14:47
4

The business owner determines what is considered sensitive. This may or may not be delegated to a security department. You are not obligated to adhere to anything except what is defined by law or by contract. If you are not in a contract with a credit card company as a merchant, you don't have to concern yourself with PCI. That doesn't mean that it isn't possibly a good idea.

Your question is broad and overarching... so I think that yes, you should consider engaging an outside consultant. Even from this question I have a lot of questions myself, particularly about how you'd end up with credit card information if you don't handle payments. You should have somebody who can tell you what risks you face and a rough estimate of what it takes to mitigate them.

Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172
  • Good answer - thanks. Just to be clear though, i'm not storing credit card information, just sort-codes and account numbers. This is so that another department in a company can use it to make payments (not via our system) to a particular person. – JonB Aug 12 '11 at 14:10