0

Client want's to store scanned checks on his publicly accessible server that is NOT PCI compliant.

I told him it's a bad idea.

I need to present him with the laws / FTC guidelines / government regulations that specifically outline the requirements for storing scanned checks or else find the portion of the PCI DSS specifications that says: "This means for checks too."

Does anyone know what that is?

Googling it only shows me millions of results about scanning checks for mobile deposit...

DrDamnit
  • 854
  • 4
  • 12
  • 1
    PCI DSS != checks. Why do you think that checks require the same protections as a payment card? – schroeder Apr 06 '17 at 06:47
  • I know PCI DSS != checks. Check fraud is a real thing. Checks contain a routing number and account number, which can be used to debit an account and get cash, which is NOT protected like fraudlent card charges are. Cash gone? Too bad, so sad. Most banks won't give it back to you. Why not use the highest standard to protect bank account information you can find? Just because they may have a lower standard of required protection, does not mean we should just do the minimum required. – DrDamnit Apr 06 '17 at 10:34
  • 1
    But that's not what you asked .... You asked about established guidelines, not the "best level of protection we can provide". – schroeder Apr 06 '17 at 11:02
  • Fair. I accept your point about not being clear in my OP. However, since this is infosec, I assumed "best level of protection we can provide" would be assumed as part of the answer. – DrDamnit Apr 07 '17 at 11:19

1 Answers1

1

You can't find anything about PCI for checks, because it doesn't cover them. PCI stands for "Payment Card Industry" - aka, credit cards (and debit cards with a cardbrand logo). The PCI Council (who set the standards) couldn't care less about securing any other form of payment (cash, checks, money orders, etc). Even credit-card-like systems (gift cards, store-issued charge cards, etc) aren't officially covered, even if they have a magstripe.

That said, it's good practice to follow PCI standards for other forms of payment, since they're designed for security. If you accidentally leak your customers' payment information, who do you think they're going to blame?

Instead of PCI, the ACH industry is covered by the NACHA Operating Rules, which you can also fund summarized here. From what I can tell, the relevant sections are 1.6 (Security Requirements) and 1.7 (Secure transmission of ACH Information via Unsecured Electronic Networks). Together, they comprise less than one page of text. I can't copy them here, but 1.6 basically says "You have to have policies in place to protect this data." without specifying any specific requirements.

All in all, the client's request may be perfectly valid in a way that it wouldn't be for card data. It doesn't make it a good idea, but it's valid.

Bobson
  • 1,456
  • 10
  • 12