EFT Security Recommendations
August 24, 2009 8:27 AM   Subscribe

Is there a required or recommended security standard, compliance, or best practice for entities in the USA for collecting and storing bank account and routing numbers?

We will not be collecting credit/debit card information (so PCI DSS not required)...only bank account information for the purpose of Electronic Funds Transfer. The information will be stored and batch transmitted to our bank on a daily basis. Aside from the general measures in regards to site security and proper encryption of the information, are there any other specific requirements our developers need to be aware of?
posted by branwen to Computers & Internet (5 answers total)
Sure, use a third party merchant gateway who stores all this info for you, exposing your company to the risk of storing account and routing numbers is totally unnecessary.
posted by zentrification at 8:38 AM on August 24, 2009

A third party gateway was my recommendation; but the PTB (Powers That Be) opted to let our development vendor create an in-house solution. No, I don't like it, but I have to live with it, and make sure that we comply with any regulations, or at the very least, follow best practices for this scenario.
posted by branwen at 9:16 AM on August 24, 2009

If you have to store them in-house, I don't see any reason to use something other than PCI standards (encryption, physical access restrictions, blah blah blah).
posted by sachinag at 9:48 AM on August 24, 2009 [1 favorite]

Seconding adhering to PCI-DSS *anyway*. There's no point in deviating from best practices in regards to sensitive data.
posted by iamabot at 10:08 AM on August 24, 2009 [1 favorite]

PCI-DSS is definitely a good start. However, as this is US based and financial information is involved, the Gramm-Leach-Bliley Act possibly applies, and includes protection for this information in its Financial Privacy Rule, Safeguards Rule, and Pretexting Protection.

You didn't mention what your business category is, but the GLB Act applies to "financial institutions" - companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission has authority to enforce the law with respect to "financial institutions" that are not covered by the federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission, and state insurance authorities. Among the institutions that fall under FTC jurisdiction for purposes of the GLB Act are non-bank mortgage lenders, loan brokers, some financial or investment advisers, tax preparers, providers of real estate settlement services, and debt collectors. At the same time, the FTC's regulation applies only to companies that are "significantly engaged" in such financial activities. If you feel you may fall close to that definition you should certainly take a look and validate with legal counsel.

The FFIEC IT Examination Handbooks provides guidance for meeting the Safeguard requirements of the GLB Act, including technical elements (such as encryption and access control), operational process controls (like risk assessments and security strategy), controls over outsourced development etc. It is, in theory, part of how the appropriate Government Regulator for your business would assess your IT environment should the Act apply. The various handbooks combined are broader than the content of the PCI-DSS (maybe not as deep as PCI-DSS in places, but certainly more voluminous).
posted by inflatablekiwi at 1:34 PM on August 24, 2009

« Older A few questions upon the eve of an imminent move...   |   I love you, fresh egg Newer »
This thread is closed to new comments.