I've looked at a number of question/answer threads and docs about PCI compliance, including various results on Google and have not found a definitive answer to this question:
Does a web app fall under PCI compliance rules/regs if it collects the bank account-routing number combination via a web form and passes it along to a 3rd party for persistence/validation (assuming that it also logs the web requests in transit)?
Since PCI stands for Payment Card Industry the short answer is no.
However that information is sensitive so you should treat it like any other sensitive data and store and transmit it in a secure, encrypted form.
PCI is a great baseline for dealing with any secure data so it certainly wouldn't hurt to treat it the same.
First off - thanks for asking the question. Second, the respondent that stated its PII and should be protected is accurate.
At a minimum I'd employ field level encryption. Along with N tiered architecture for an app on a site managing this - or consider outsourcing payment management to a third party, avoiding many issues.
We manage payments for a few hundred thousand transactions a month and we don't touch credit cards in house (small number for us), we use PCI like controls on checking within the limitations of our finance software and leverage field level encryption of account numbers Active Shooter - location = a mitigation.
