Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

Collecting Sensitive Information

2:41 pm on Jun 30, 2011 (gmt 0)

5+ Year Member

I am working with a staffing company and they want an online application for their website, but they want to include sensitive info such as SSN#. I know I'd want to use SSL but beyond that I am not sure of what the best practices are for this kind of info.

Since I know email can be easily grabbed and would be unencrypted, I was thinking about storing the SSN in a DB in an encrypted format and requiring them to have a key on their end to unencrypt that info on screen only (ie, the info doesn't travel through email).

Would love to hear thoughts here. I know its generally a bad idea to ever have SSN in a form but people have to do it online for sites such as this....so there has to be a legal, reasonably safe way to do this.

Thanks for any input.
3:56 pm on Jun 30, 2011 (gmt 0)

WebmasterWorld Senior Member piatkow is a WebmasterWorld Top Contributor of All Time 5+ Year Member

As soon as you use the word "legal" there are two things that must be kept in mind:
1. We are not lawyers, for definitive legal advice you need to go to a professional in your own jurisdiction.
2. This is an international forum and privacy laws vary a lot. What is considered normal practice on one side of Niagra Falls could get you into serious trouble on the other.
4:47 pm on Jun 30, 2011 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

Sometimes "no" is a perfectly valid answer, even if clients don't like it. You could follow PCI compliance rules as if it were CC info, and although you're **probably** going to be off the hook if the data is breached - it will be on the site owners - but in the grand scheme of the universe, do you want to take that karma on? I wouldn't.

I usually explain it in terms of the liabilities they are suggesting: in order to do anything like this you need secure hardware, networks, security audits, and consultations with lawyers to determine the breadth and depth of what they are getting into. Then I send a couple links - most lately, Sony and Groupon's India unit. Most of the time they will modify their plan to collecting non-sensitive info and collect that later over the phone or in person. Cheaper = safer. :-)

Your plan is a reasonable one but remember if the server gets hacked, they can find your decryption key (which is why the hardware and system security is so critical.)
5:07 pm on Jun 30, 2011 (gmt 0)

5+ Year Member

Good info. What we may end up doing is asking for all info BUT the SSN and they would have to supply that in person.