1

If I'm using an external bank data aggregation service to get user credit and banking transactions, but the external service itself is handling the process of collecting and managing banking credentials, I'm just storing lists of recent transactions and information like which accounts exist and their corresponding transactions, service tokens, banks or credit card companies, credit limits and so on, do I need PCI compliance? What security requirements are there for such an application?

TheEnvironmentalist
  • 505
  • 3
  • 10

1 Answers1

2

If you’re not a merchant (ie you don't take payment cards) and you are not a service provider to merchants or banks, then there is probably no one who is contractually asking you to comply with PCI DSS -- and so the decision is yours. If you have payment card numbers (the 15/16 digit number in the middle of the card) then you may want to consider it as a good baseline. For another good baseline consider the CIS 20 critical controls.

Also - if you’re in the EU you need to be aware of the EBA's security RTS under PSD2 because it sounds like you may be providing Account Information services. However if you are in the EU, once PSD2 comes into effect (13 Jan 2018)it specifically says that the account number is not 'sensitive data'.

withoutfire
  • 1,000
  • 4
  • 7
  • I'm looking to provide data to users on how they spend their money as a service. I have no intention of storing any financial information, short of the transactions themselves, and some non-security-related details about their bank/credit card company such as account name, balance, overdraft status, credit limit, etc. – TheEnvironmentalist Aug 28 '17 at 19:10
  • Then you do not need to comply with PCI DSS.If you are in the EU after 13 Jan 2018 you do need to comply with PSD2 because you are an AISP. – withoutfire Aug 29 '17 at 20:54