Are hashed bank account numbers PCI data?
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Background:
I work for an NPO which receives large numbers of paper check donations every week. The current process of recording the donations is tedious and done mostly on paper. Because most donations come from regular donors, we assign unique donor IDs, which makes it easier to generate end-of-year contribution reports (which our donors can use for tax purposes). However, most of our donors don't write their donor ID on their checks, which forces us to look up each donor ID manually.
To help streamline this process, I'm developing a small C# desktop app for internal office use. One of the features I'd like to provide is a quick lookup of donor IDs. A possible implementation could be to use a MICR reader to scan the checks, which would yield the donor's ABA routing and account number. I don't actually need that info for our records, but it could be used to do a quick lookup of the donor's ID. The routing and account number could be concatenated, hashed with something like SHA-512, then stored in a table which associates these hashes with donor IDs.
Question:
Would these one-way hashed routing/account numbers be considered PCI data, and therefore require PCI DSS compliance for our office?
NOTE: For reasons irrelevant to this post, we can't convert these checks to EFTs - which would be my personal preference.
La solution
Bank Account Information
I suggest you read this question which discusses this subject: Storing account numbers and sort codes online
In short, when storing account details PCI does not apply; it only applies to payment cards. However, the standard still offers one of the most accepted standards for storing secure data; so PCI is a useful point of reference for good practice.
I suggest that you review the PCI standard and implement all relevant recommendations. However, as you are not handling payment cards, there is no legal requirement to comply.
PCI Data
The relevant section of the standard begins on page 7 of PCI DSS v3.1. This identifies the data that is considered sensitive.
Intent
It is worth noting that the PCI scheme organisers made the applicability of the scheme as universal as possible; this was deliberate. So the simple answer is, if you handle sensitive cardholder or authentication data, then the scheme applies to you.
The intent behind the scheme is to provide a base-level of protection for sensitive cardholder/authentication data wherever it exists. For this reason it should not be too costly to implement the scheme in any case.
Then again, schemes such as this aren't always as simple as they are supposed to be.
Specifics
The hashed storage of the information is simply part of compliance with the scheme, not a means to avoiding compliance. Hashed data storage can be a means of complying with the data storage requirements (see table below).
However, compliance with the rest of scheme (e.g. network topology, PC security, etc.) is not dependent upon how the information is stored.
