1

I want to build a service that collects user spending history with their permission. Users would send over (banking, credit card) account statements and I would extract, store the following information:

  • Date
  • Description of transaction
  • Amount
  • Account balance

Unfortunately, I noticed that credit card statements also contain the following information:

  • The person's name
  • The credit card number
  • The banking institution's phone number

I do not store the latter information but it does travel through my system. If anyone were to gain access to the server that extracts this information, they could retain a copy.

I have the following questions:

  • Is there a way to collect the desired information without risking the person's personal information?
  • Can someone spend the user's money with this information? (If so, how?)
  • Does my service have to be pci-compliant? I am processing information that contains the user's credit card number but (1) The client willingly handed it to me (2) I am not extracting this number (3) I am not a credit card company, a merchant, nor their supplier (4) I did not sign a PCI contract, nor do I believe I will have to do so.
  • As far as I can tell, users are not liable for unauthorized spending on the their credit card and banking accounts so long as they do not give out their password (which they are not). In the case of unauthorized spending, is the user or my service liable for any lost funds?
Gili
  • 2,149
  • 3
  • 23
  • 41
  • 1
    This question needs specifics about jurisdiction; laws regarding credit cards and financial data are sufficiently different to make a difference here. E.g. if it's EU, then GDPR would become relevant. – Peteris Aug 08 '19 at 11:40
  • ...Do the credit card statements actually contain the full number? Virtually everything I've seen in the last few years only has the last 4, which aren't considered secure. – Clockwork-Muse Aug 08 '19 at 18:52
  • @Clockwork-Muse Sadly, my credit card statements contain the full number. – Gili Aug 08 '19 at 20:08
  • @Gili - Could you just not even upload the data? How is it getting uploaded? If this is manual entry, for example, could you just truncate all but the last four digits of the card? – Clockwork-Muse Aug 08 '19 at 20:25
  • @Clockwork-Muse There is too much data to enter manually. Users send me PDF files containing their account statement. I already plan to strip away privacy-sensitive information the second I receive it, but there is no guarantee that someone won't hijack the server and get at the information before I strip it out. Even if I were able do this in the browser, someone could still use XSS and other browser exploits to get at this information. The minute the user hands over this data, they are at risk. Period. I'm trying to act in good faith but I honestly can't think of a better way to do this. – Gili Aug 09 '19 at 01:32
  • I think you have two options: 1) Continue with your pdf-stripping approach, but behave in a way that meets industry standards, which ensures there's a clear path of liability (probably the *main* reason non-merchant vendors handling card data choose to follow DSS). 2) Partner with card issuers to obtain the transactional data directly from them, delivered in a manner that removes the risk altogether (which is what many existing vendors implementing the specific functions you're describing do). – dwizum Aug 09 '19 at 12:33

4 Answers4

0

Is there a way to collect the desired information without risking the person's personal information?

This varies entirely on how you plan on pulling the data, and even down to the users specific bank

Can someone spend the user's money with this information? (If so, how?)

Some places, a card number and name may be all they need to initiate a charge. Most places will require the CVV and expiration date. Wouldn't be hard to social engineer the missing data if you have 75% of what you need

Does my service have to be pci-compliant? I am processing information that contains the user's credit card number but (1) I am not a merchant (I don't spend the user's money) (2) As far as I know, I did not sign any agreement requiring me to be PCI compliant.

By doing anything at all regarding PCI information, you are required to be PCI compliant be it via the bank, or via the users credit card company. Should a breach or audit occur, you'd be in lawsuit city for not being PCI compliant.

As far as I can tell, users are not liable for unauthorized spending on the their credit card and banking accounts so long as they do not give out their password (which they are not). In the case of unauthorized spending, is the user or my service liable for any lost funds?

No, but you potentially would.

Ghawblin
  • 29
  • 6
  • Thank you for the detailed answer. Would the same apply with respect to banking statements? In that context, I have a person's bank account number but (as far as I know) you can't spend money with that. – Gili Aug 07 '19 at 16:57
  • That's a good question. Bank information is still sensitive data, while you can't use a bank account on a retail store or site, you can use bank account information to sign up for services though again, there's a lot of other information to obtain too. Some bank statements contain DOB, name, address, etc. Any two of those with a bank account number and you could do serious damage either via identity theft, or by unauthorized money transfer. – Ghawblin Aug 07 '19 at 18:49
  • 1
    Looking at https://security.stackexchange.com/a/5845/5002 I seriously doubt I am affected by PCI-DSS. Given that (1) PCI is a contract between credit card companies, merchants, and their suppliers and (2) I am not one of these parties so I am not obligated to sign a PCI contract (3) The client willingly hand me this information in the same way they hand this information to a web browse. Therefore I conclude there is nothing that credit cards can sue me for. I did not breach any signed contract nor did I knowingly steal or assist in theft of their property. Any I missing anything? – Gili Aug 07 '19 at 22:56
0

Does my service have to be pci-compliant?

I'm only qualified to answer this one part of your question.

As you correctly identify, compliance with PCI DSS is enforced through a contract, typically between a merchant and a bank, or a service provider and the entity they provide services to. If no one has required you to comply with PCI DSS in a contract, you have no compliance obligation.

However, many data protection laws (e.g. GDPR) require organisations to take "appropriate technical and organisational measures" to protect personal data. Regulators (for example the UK's Information Commissioner's Office) have stated previously that organisations processing payment card data should use PCI DSS, or an equivalent, as a benchmark standard.

As far as I can tell, users are not liable for unauthorized spending on the their credit card and banking accounts so long as they do not give out their password (which they are not). In the case of unauthorized spending, is the user or my service liable for any lost funds?

That's a question that is best answered by a lawyer. So this is just my opinion. I'd hazard a guess that a user would have a right of action against you. However I suggest that the damage to your service's reputation in the event that it was perceived you had caused a user a loss would be a concern.

Given that the data in a bank or credit card statement can reveal masses of insight into a person, the risk associated with processing and storing this data should not be underestimated. In the EU you'd most probably need to be regulated (see PSD2, AISPs) to provide this service. Such a store of information will be attractive to a criminal, so threat modelling and risk management will be needed.

withoutfire
  • 1,000
  • 4
  • 7
  • *you have no compliance obligation* not sure that's 100% true. Many states have laws that effectively mandate PCI compliance for **any** entity that stores or processes card data: https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard#Mandated_compliance – dwizum Aug 08 '19 at 13:50
  • Further, the PCI's own website has a guide that broadly states DSS applies to any entity that stores or processes card data (see page 5): https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf of course, there's still an argument of how it would be enforced, but I don't think it's accurate to just state it doesn't apply because there isn't a contract saying it does. – dwizum Aug 08 '19 at 13:51
  • @dwizum I am not surprised that an entity with a vested interest in the propagation of PCI-DSS claims that it applies everywhere. As far as I can tell, only two things can bring about this obligation: government law or contractual obligation. – Gili Aug 08 '19 at 20:16
  • Anyone with a credit card should have a "vested interest" in there being some universal standard to securing credit card data. Personally, I would be very reluctant to turn over statements to a vendor who had no interest in complying with industry standards. You may not be under contract in a way that forces PCI compliance but I would be very cautious about the assumption you make in your last bullet. If someone gives you a credit card number, and it gets stolen from your system, do you expect the issuing bank to just eat the loss? – dwizum Aug 08 '19 at 20:23
  • @dwizum Why would borrowers have a vested interest in securing these funds when (1) they are not liable for unauthorized spending (2) the card provider avoids reasonable security measures (2FA) in order to encourage impulse spending. I don't condone credit card theft but I find it disheartening that neither the providers nor card holders have enough vested interest to improve credit card security. PCI-DSS is great for securing credit card numbers, but I question its necessity if credit cards were to require 2FA. – Gili Aug 09 '19 at 02:10
0

You asked many questions:

Is there a way to collect the desired information without risking the person's personal information?

Yes, but it's a different technical model than you're describing. Many card issuers participate in programs with 3rd party vendors designed to facilitate those third parties storing transactional data in order to help their customers do budgeting and track spending. Some card issuers use similar interfaces to participate in third party rewards programs or rewards networks.

Generally, these partnerships rely on an API between the vendor and card issuer, where the issuer is delivering transaction data in a manner that does not expose anything that could directly be used for unauthorized purchases (i.e. the card number). Of course, there needs to be some key between the systems, but it's generally a key implemented solely for this sort of interface, which can't directly be used for fraudulent purposes (i.e. an account number, member number, customer number, etc).

This model does still "risk personal information" in the sense that details considered personal are changing hands, but it has the advantage of not directly risking fraudulent transactions against someone's credit card. This reduces the risk level for the third party.

Can someone spend the user's money with this information? (If so, how?)

Probably, yes. But it will require a bit of sophistication. The CVV is supposed to stop this sort of fraud, but there are loopholes where it's possible to defeat that (making certain payment types via certain processors, a distributed attack to guess the CVV, or using a stolen/hacked terminal).

Does my service have to be pci-compliant? I am processing information that contains the user's credit card number but (1) The client willingly handed it to me (2) I am not extracting this number (3) I am not a credit card company, a merchant, nor their supplier (4) I did not sign a PCI contract, nor do I believe I will have to do so.

As far as I can tell, users are not liable for unauthorized spending on the their credit card and banking accounts so long as they do not give out their password (which they are not). In the case of unauthorized spending, is the user or my service liable for any lost funds?

I'm not sure what password you're referring to, but I don't think it's appropriate to make broad statements about who would be liable, without knowing the protections and compliance efforts you've put into place and the details of a specific attack or breach. Imagine if your users handed over their statements, and you just stored all those pdfs in plain text on a wide open server - then, imagine someone stole them all. Clearly, you would be liable. Of course, hopefully no one providing the types of services you're talking about would be that careless. But, as an extreme example, it should illustrate that we can't make broad statements about whether or not you or the customer would or would not be liable for any fraud.

You should ask your lawyer to clarify responsibility in the case of a breach for you. Keep in mind though, if there is ever a breach on your system, being PCI-DSS compliant can significantly change the outcome of the legal battle that will ensue - following the same set of standards as everyone else in your industry is a good starting point to protecting yourself from liability.

It's also important to note that unauthorized transactions are just one of many risks of storing information related to credit cards or personal finance. Generally, if an attacker gains enough information about an individual's personal details and financial data, they don't need the actual credit card number, because they can execute other attacks - call the bank, pretend to be the customer, and ask for a new card to be issued, then swipe it from the mailbox. Or change some detail on the account. Having someone's entire credit card statement history is a good start towards supporting one of these indirect attacks.

dwizum
  • 534
  • 2
  • 7
  • Reasonable answers. Thank you. I have a few follow-up questions: (1) Your answer only touches upon credit card providers. What about bank account statements? As far as I can tell, they contain a person's name, address and account number but one cannot spend money with the account number. (2) Looking at https://developer.mastercard.com/apis there doesn't seem to be a way to retrieve a person's credit card transactions. Can you link to the 3rd-party programs you were talking about that faciliate "third parties storing transactional data"? – Gili Aug 09 '19 at 15:36
-1

Credit Card Numbers are property of the VISA, Master Card, American Express and other issuers so you cannot store them without abiding their rules even if you are not a merchant. If the card passes in clear text in your system you will have to comply with their requirements. You are not forced but if you have a breach you will not be able to prove that you had due diligence in protecting all the data if you do not follow their requirements. I think the same is valid for the Private data.

I am no expert but i think in your case it is a risk management issue that you need to validate in order to understand what is best for your business.

Hugo
  • 1,701
  • 11
  • 12
  • 2
    I don't think that what you wrote is strictly correct. Credit card providers cannot "own" numbers any more than they can "own" letters of the alphabet. Anyone can store numbers without their permission so long as they do not suffer damages. If someone is responsible for unauthorized spending on their cards they gain the legal right to sue that person or anyone who aided that person (intentionally or otherwise) for damages. I don't think there is anything illegal about storing numbers however you see fit, so long as unauthorized spending does not occur. – Gili Aug 09 '19 at 01:48
  • The number is based on an algorithm that is their intellectual property. That is why a credit card number can be identified and differentiated from a rando set of numbers. – Hugo Aug 15 '19 at 13:31
  • you can have more information here. If you store their numbers as payment information and not just numbers, you might get hit by them sooner or later. In the explained case it is clear that is being used as credit card numbers and not as numbers. Here is the pattent https://patents.patsnap.com/v/US10147087-primary-account-number-pan-length-issuer-identifier-in-payment-account-number-data-field-of-a-transaction-authorization-request-message.html – Hugo Aug 15 '19 at 13:54
  • Probably this link is better as it has all patents from credit card companies and related with credit cards. https://patents.justia.com/patents-by-us-classification/283/904?page=6 – Hugo Aug 15 '19 at 14:15
  • I'm pretty sure this patent only applies if you file a charge against a credit card. I am just scanning documents for any text showing up after the word "Account Number" and stripping it out. I don't use any intellectual property to process this text. It is a black box to me. Alternatively, if I extract text from a document that contains account numbers but I don't explicitly look for (and extract) said numbers then again this is an opaque token to me. I don't explicitly look for or process it. – Gili Aug 16 '19 at 14:33
  • Well in the end if nothing happens they will never know you are storing the nubmers, if you have a leak and they discover that you are storing them without having the environment certified then you will have problems for sure as it is a question of money, someone will have to pay the damage. In the end I would play it safe and even if not PCI compliant I would follow the requirements for storing the numbers according with the standard. – Hugo Aug 30 '19 at 15:11