How to store banking information,collected on website, securely and implement encryption?

Question

So I have this website in which I will ask users to input the following banking information.

1. Bank account holder name:
2. Bank account number:
3. 9 digit routing number:

I need these information from users to pay them by check. And it's necessary for me to store them on my server (I'm using Apache) and display it to admin only.

I've very very limited knowledge of security and encryption.

Please tell me how to make this secured as this isn't sufficiently encrypted. Maybe there should be additional password protection on the page where this info is display?

Oh and does PCI standards apply to banking info as well or just credit card info? If it applies to banking info too then I need to make sure I follow requirement #3 and #4, correct?

Here is the technology I'm using:

Server: Apache

CMS: Drupal

Frameworks: PHP

Please help!

Answer 1

You aren't in scope of PCI for having bank account numbers. You might face other regulatory requirements including general data protection issues depending on your region and business type.

That said, many of PCI requirements make for good guidelines when you are designing and operating an application that handles sensitive data.

So, from the viewpoint of app architecture, you might consider issues like:

• putting the database on a separate server, potentially with network boundaries between them
• encrypting the data, using a key that isn't stored in the same place as the data; potentially, tokenisation (even if manual)
• separating the admin interface from anything accessed by a wider userbase, potentially on a different server, and enforce access restrictions in a reliable way (eg firewall rules)

and so on. The aim being to ensure that a compromise on a widely-available interface (eg public web site) doesn't spread to give full access to the sensitive data in the database.

Answer 2

I've very very limited knowledge of security and encryption.

Then you shouldn't attempt to store banking information yourself. This is similar to not being familiar with knowing much about medicine but attempting to do surgery.

Hire a security expert to develop (or deploy an existing) safe system for you or hire a third party do your payment/payout processing. If you are questioning whether what you are doing is compliant with the relevant regulations, consult a lawyer.

There are many ways you can introduce security vulnerabilities when you don't know what you are doing. You may be liable for any attacks on your system. If someone hacks your database, could they potentially reroute payments to accounts they control? Or change the amounts of the payments?

Also see:

• https://stackoverflow.com/questions/596706/best-practices-for-storing-bank-information-in-a-database

• https://money.stackexchange.com/a/15223

• https://security.stackexchange.com/a/18198/2568