2

The company I work for is looking forward to make an online store for wholesalers (t-shirts, muggles, office co-branded supplies, etc.) but we don't store, process or transit any card data. The process is as follows: the user gets to our website, adds the products to the cart, after this our bank account number will appear, I get a notification and the user makes a transfer directly to the bank.

What security issues, PCI concerns should I worry about?

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
Alan
  • 21
  • 2
  • If you're doing ACH transfers to complete the sale, there is no PCI requirement, though posting your account number to the whole Internet may have it's own security implications. – HashHazard Sep 21 '16 at 18:45
  • Normally with "outsourced" card processing (like PayPal) the burden of PCI goes away completely but you might want to rework your question to state what this outsourced system does. Surely you don't just show your account number to the user and wait for money to show up. – Jeff Meden Sep 21 '16 at 18:49
  • Thank you @jeff-meden. When I say that the store is outsourced I mean that the website is hosted with a third party vendor not inside our office. So basicly the store is hosted with our ISP. So when you do your Checkout you have 2 options to pay, via PayPal or a transfer. When you choose the Transer option automatically appears our account number and the user pays via transfer. This is a store with a few customers with recurring orders to make their process easier, not open to everyone. Regarding the display of the account number, what security implications or controls con I implement? Thanks – Alan Sep 21 '16 at 21:51
  • Publishing your account number is probably ok but beware of [this](https://www.theguardian.com/money/2008/jan/07/personalfinancenews.scamsandfraud) – paj28 Sep 22 '16 at 10:38
  • 1
    I would at the least talk to your bank about setting up an incoming-only account and use that account number. They should be able to restrict it to only allow inbound transfers. You will want the ability to scrutinize those transactions so you can verify when payments have or haven't been made so a different account entirely for this purpose is probably warranted. – Jeff Meden Sep 22 '16 at 12:42

1 Answers1

2

PCI DSS is for handling card data

Payment Card Industry Data Security Standard is, as the name states, a standard for handling payment card data. Compliance with PCI DSS is generally a contractual requirement, as a condition in your agreement for accepting credit card payments - if you don't have such an agreement, you're not required to comply.

The confidentiality of account numbers depends on your location. For example, it is rather common EU practice to display your IBAN account number to anyone interested (e.g. in the Contacts section of your webpage) but as far as I understand in USA that might expose your to certain types of fraud, so you might want to hand out that number only to actual customers that need to pay.

Peteris
  • 8,369
  • 1
  • 26
  • 35