Save banking account data secure

StackOverflow https://stackoverflow.com/questions/9001185

Question

I need to save banking account data in a web project. The project is asp.net mvc 3 and the database is MSSQL 2008 R2.

But how should I do that secure?

My solutions are:

  1. Solution: Encrypt the Data with TripleDESCryptoServiceProvider and save them to the Database.

  2. Solution: Save only maybe the last 3 numbers of the account data (like amazon shows you), so that the user will recognize which account data he has saved to the system. Encrypt the entire account data and save them to a different database (maybe with a stored procedure) where the web project has no rights to.

We only need the account data, collect the monthly fees. So we do not need them in the web project. But the user has to recognise which account data he has given to pay the fees.

What are the best solutions?

EDIT:

Thank you all for your replies. I Think we will really use a service provider, that will store the account data and does all the other stuff like Accounts receivable management.

Was it helpful?

Solution

Actually, leading on from my comment - your best bet might be to talk to your payment gateway. A lot of them operate a token system to allow people to collect regular payments without needing to store card details. User enters details once, they get stored at payment gateway, you get back a token, which you can then re-use to perform a repeat payment.

Given that scenario, you could then store just the last 4 digits of the card number: that should be enough for a user to recognise their card again if needed.

They're probably also a good first point of call for information relating to security and storage methods.

OTHER TIPS

I suppose it boils down to who needs to access your bank numbers after you have saved them.

If they are saved by your web app and then read by another private application my recommendation would be to encrypt the results in the site with a public key and only have the private decryption key avaliable in your other application. This means that even if your db is compromised they will also need your private key to access the data. Store this somewhere else.

As others have said the best solution is to avoid storing the data at all if possible

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top