homepage Welcome to WebmasterWorld Guest from 54.166.255.168
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Collecting Sensitive Information
IntegrityWebDev

5+ Year Member



 
Msg#: 4333085 posted 2:41 pm on Jun 30, 2011 (gmt 0)

I am working with a staffing company and they want an online application for their website, but they want to include sensitive info such as SSN#. I know I'd want to use SSL but beyond that I am not sure of what the best practices are for this kind of info.

Since I know email can be easily grabbed and would be unencrypted, I was thinking about storing the SSN in a DB in an encrypted format and requiring them to have a key on their end to unencrypt that info on screen only (ie, the info doesn't travel through email).

Would love to hear thoughts here. I know its generally a bad idea to ever have SSN in a form but people have to do it online for sites such as this....so there has to be a legal, reasonably safe way to do this.

Thanks for any input.

 

piatkow

WebmasterWorld Senior Member piatkow us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4333085 posted 3:56 pm on Jun 30, 2011 (gmt 0)

As soon as you use the word "legal" there are two things that must be kept in mind:
1. We are not lawyers, for definitive legal advice you need to go to a professional in your own jurisdiction.
2. This is an international forum and privacy laws vary a lot. What is considered normal practice on one side of Niagra Falls could get you into serious trouble on the other.

rocknbil

WebmasterWorld Senior Member rocknbil us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4333085 posted 4:47 pm on Jun 30, 2011 (gmt 0)

Sometimes "no" is a perfectly valid answer, even if clients don't like it. You could follow PCI compliance rules as if it were CC info, and although you're **probably** going to be off the hook if the data is breached - it will be on the site owners - but in the grand scheme of the universe, do you want to take that karma on? I wouldn't.

I usually explain it in terms of the liabilities they are suggesting: in order to do anything like this you need secure hardware, networks, security audits, and consultations with lawyers to determine the breadth and depth of what they are getting into. Then I send a couple links - most lately, Sony and Groupon's India unit. Most of the time they will modify their plan to collecting non-sensitive info and collect that later over the phone or in person. Cheaper = safer. :-)

Your plan is a reasonable one but remember if the server gets hacked, they can find your decryption key (which is why the hardware and system security is so critical.)

IntegrityWebDev

5+ Year Member



 
Msg#: 4333085 posted 5:07 pm on Jun 30, 2011 (gmt 0)

Good info. What we may end up doing is asking for all info BUT the SSN and they would have to supply that in person.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved