|In the US is it illegal to store bank account numbers?|
Clients wants me to do this for a project and I'm looking for an excuse to say no and steer him toward a more conventional payment solution.
Basically, the clients wants an online form in which the bank # and the account # is either sent to him in an email or stored securely somewhere where he can access this information as needed.
Even assuming this is encrypted, is this legal in the US?
There is a wealth of information concerning what you have to do to store or process credit cards, but in all the searches I've done I haven't seen similar rules for bank accounts.
We can't give legal advice here, but google for "storing sensitive information legal issues" - if your client is not terrified of assuming the liabilities of this approach to sensitive data, he/she will be after reading up.
The other way to approach it is, okay, you are so bull headed you want to go for it? Here's what you need:
- A secure PCI compliant server, under your control. No you can't pays someone to host it - or if you do, it has to be under an (expensive) agreement and insured against any data breach (I don't know if any hosting company will even step up to that one)
- Control over the distribution networks, and regular audits of those networks to insure they are secure.
- Regular PCI compliance scans, and audits by security professionals
Internal audits of all computers connected to this network, and regular updates to insure their security.
- Personnel audits of the people accessing this data.
- Insurance to cover any incidents of data breach.
You could go on . . . the point is, is he/she willing to pay for the liabilities that may arise?
I'd walk away.
[edited by: rocknbil at 6:31 pm (utc) on Nov 21, 2011]
The bank account information normally is not a very sensitive or secret information at least compared to credit card information. I have never heard of any special requirements on how that kind of information has to be stored.
My bank account information is out in the open anyway - it is printed on my business letters and invoices so people can pay me. So I have shared my bank account information with thousands of people in the last years.
For what purpose does he need the information? I suppose it's for making payments to the accounts and not for receiveing payments - because the only way to charge another bank-account is direct debit - a popular way of payment in some european countries but not very common in the US as far as I know.
However if you feel uncomfortable about this for some reason you should get legal advice from some expert. I would be very surprised however if there were any special requirements that go beyond normal data protection requirements that is usual for other data, like address information.
- Regular PCI compliance scans, and audits by security professionals
Not even necessarily with credit card information - when your volume of transactions is not very high you fill out a "Self-Assessment Questionnaire".
This is not legal advice, but any time you write a check, you basically are giving away your account number, your bank's routing number, your address, your bank's address, and a whole bunch of other stuff (like a drivers license number and often your birth date - lots of businesses won't take a check without having them on the check).
Just a thought...
There is no "just a thought" on this. Contact (or tell your client) to consult and attorney for the EXPOSURE this would create and what LEGAL RESPONSIBILITIES are involved with BANK INFORMATION and PERSONALLY IDENTIFIABLE INFORMATION. Very dangerous aspect of doing business and one not to be approached lightly.
|There is no "just a thought" on this... |
Just to make it clear, I wasn't trying to offer legal advice. I just wanted to point out as humans, we often worry about one thing while oblivious to bigger risks. It is sort of like how Kurt Corbain drove a Volvo because he was terrified of auto accidents...
If your client is planning on carrying out transactions based on this stored data, it may actually be a violation of the terms of his own merchant bank account. Is storing the numbers really worth losing the ability to get money from those accounts?
Most major merchant processors offer repeat billing tools that securely store the client's bank account # for you. Sure, they cost money, but the benefit is that you actually get to use them.
|Just to make it clear, I wasn't trying to offer legal advice. I just wanted to point out as humans, we often worry about one thing while oblivious to bigger risks. It is sort of like how Kurt Corbain drove a Volvo because he was terrified of auto accidents... |
|Cobain, the lead singer of the American grunge band Nirvana, had checked out of a drug rehabilitation facility and been reported suicidal by his wife Courtney Love. The Seattle Police Department incident report states that Cobain was found with a shotgun across his body, had a visible head wound and there was a suicide note discovered nearby. |
Which makes one wonder why anyone would want to store banking information WITHOUT the REGULAR methods (AND EXPENSE) of doing so... PCI, Secured Servers, etc.
|For what purpose does he need the information? I suppose it's for making payments to the accounts and not for receiveing payments - because the only way to charge another bank-account is direct debit - a popular way of payment in some european countries but not very common in the US as far as I know. |
You're behind the times. Direct debits (and direct deposit of paychecks) took a while catching on in the US, but they're very common now. Unlike a credit card, a bank account doesn't expire every two years, so it's especially useful for recurring charges like insurance, utilities or, ahem, web hosting.
You don't see it that often for one-time charges, though. Partly because people with working brain cells would hesitate to give their account information to a company they've never dealt with before.
|Partly because people with working brain cells would hesitate to give their account information to a company they've never dealt with before. |
Yeah, but we some times get people who print out a product page of our site and MAIL it to us along with a personal check that they have written down their drivers license, DOB, and SOCIAL SECURITY NUMBER on the check.
They usually include a note saying that they don't pay by credit card online because of "security concerns."
I think those people tend to be, um... "elderly" so maybe the working brain cell count is kind of low...
|people with working brain cells would hesitate to give their account information to a company they've never dealt with before. |
I give my bank account details every day to dozens of indiviuals I do not know and every month to a dozen companies I do not know. I call that "receiving and making payments".
That's what the bank account information is for.