Welcome to WebmasterWorld Guest from 54.234.8.146

Forum Moderators: phranque

Message Too Old, No Replies

Collecting Sensitive Information

     

IntegrityWebDev

2:41 pm on Jun 30, 2011 (gmt 0)

5+ Year Member



I am working with a staffing company and they want an online application for their website, but they want to include sensitive info such as SSN#. I know I'd want to use SSL but beyond that I am not sure of what the best practices are for this kind of info.

Since I know email can be easily grabbed and would be unencrypted, I was thinking about storing the SSN in a DB in an encrypted format and requiring them to have a key on their end to unencrypt that info on screen only (ie, the info doesn't travel through email).

Would love to hear thoughts here. I know its generally a bad idea to ever have SSN in a form but people have to do it online for sites such as this....so there has to be a legal, reasonably safe way to do this.

Thanks for any input.

piatkow

3:56 pm on Jun 30, 2011 (gmt 0)

WebmasterWorld Senior Member piatkow is a WebmasterWorld Top Contributor of All Time 5+ Year Member



As soon as you use the word "legal" there are two things that must be kept in mind:
1. We are not lawyers, for definitive legal advice you need to go to a professional in your own jurisdiction.
2. This is an international forum and privacy laws vary a lot. What is considered normal practice on one side of Niagra Falls could get you into serious trouble on the other.

rocknbil

4:47 pm on Jun 30, 2011 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Sometimes "no" is a perfectly valid answer, even if clients don't like it. You could follow PCI compliance rules as if it were CC info, and although you're **probably** going to be off the hook if the data is breached - it will be on the site owners - but in the grand scheme of the universe, do you want to take that karma on? I wouldn't.

I usually explain it in terms of the liabilities they are suggesting: in order to do anything like this you need secure hardware, networks, security audits, and consultations with lawyers to determine the breadth and depth of what they are getting into. Then I send a couple links - most lately, Sony and Groupon's India unit. Most of the time they will modify their plan to collecting non-sensitive info and collect that later over the phone or in person. Cheaper = safer. :-)

Your plan is a reasonable one but remember if the server gets hacked, they can find your decryption key (which is why the hardware and system security is so critical.)

IntegrityWebDev

5:07 pm on Jun 30, 2011 (gmt 0)

5+ Year Member



Good info. What we may end up doing is asking for all info BUT the SSN and they would have to supply that in person.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month