7

Background:

I work for an NPO which receives large numbers of paper check donations every week. The current process of recording the donations is tedious and done mostly on paper. Because most donations come from regular donors, we assign unique donor IDs, which makes it easier to generate end-of-year contribution reports (which our donors can use for tax purposes). However, most of our donors don't write their donor ID on their checks, which forces us to look up each donor ID manually.

To help streamline this process, I'm developing a small C# desktop app for internal office use. One of the features I'd like to provide is a quick lookup of donor IDs. A possible implementation could be to use a MICR reader to scan the checks, which would yield the donor's ABA routing and account number. I don't actually need that info for our records, but it could be used to do a quick lookup of the donor's ID. The routing and account number could be concatenated, hashed with something like SHA-512, then stored in a table which associates these hashes with donor IDs.

Question:

Would these one-way hashed routing/account numbers be considered PCI data, and therefore require PCI DSS compliance for our office?

NOTE: For reasons irrelevant to this post, we can't convert these checks to EFTs - which would be my personal preference.

Patrick D.
  • 143
  • 1
  • 7
  • I really like your idea of not keeping any sensitive information in plain text, that you really do not need in plain text. But I would suggest asking those behind PCI if your solution is sufficient to avoid PCI DSS compliance. Isn't there a government office that can answer? – Bent Feb 18 '16 at 08:51
  • @Bent: DSS is developed and maintained by a consortium of private companies. – Blrfl Feb 18 '16 at 09:55

1 Answers1

7

Bank Account Information

I suggest you read this question which discusses this subject: Storing account numbers and sort codes online

In short, when storing account details PCI does not apply; it only applies to payment cards. However, the standard still offers one of the most accepted standards for storing secure data; so PCI is a useful point of reference for good practice.

I suggest that you review the PCI standard and implement all relevant recommendations. However, as you are not handling payment cards, there is no legal requirement to comply.

PCI Data

The relevant section of the standard begins on page 7 of PCI DSS v3.1. This identifies the data that is considered sensitive.

Intent

It is worth noting that the PCI scheme organisers made the applicability of the scheme as universal as possible; this was deliberate. So the simple answer is, if you handle sensitive cardholder or authentication data, then the scheme applies to you.

The intent behind the scheme is to provide a base-level of protection for sensitive cardholder/authentication data wherever it exists. For this reason it should not be too costly to implement the scheme in any case.

Then again, schemes such as this aren't always as simple as they are supposed to be.

Specifics

The hashed storage of the information is simply part of compliance with the scheme, not a means to avoiding compliance. Hashed data storage can be a means of complying with the data storage requirements (see table below). Account Data PCI Compliance

However, compliance with the rest of scheme (e.g. network topology, PC security, etc.) is not dependent upon how the information is stored.

Community
  • 1
  • It didn't even occur to me until just now, but since we aren't dealing with credit cards at all, does PCI DSS still apply? Surely the same type of security would be necessary, but everything I've read so far references fields which are unique to credit cards: cardholder, exp date, etc – Patrick D. Feb 18 '16 at 10:20
  • @Peter Why do you claim that PCI applies, at all? Bank account != Credit Card – CodesInChaos Feb 18 '16 at 10:21
  • @CodesInChaos I had read account number as the PAN (Primary Account Number; sorry. let me revise. –  Feb 18 '16 at 10:24
  • @CodesInChaos I've added a new section to cover the bank account details. I've retained most of the information about PCI as it may be of use to others who come across this question but I have rewritten it as generic advice about hashing PCI sensitive data. –  Feb 18 '16 at 10:42
  • @PatrickD. I had misinterpreted part of the question, see other comments. My answer is now revised. –  Feb 18 '16 at 10:45
  • @CodesInChaos Answers my question either way. Thanks for info! – Patrick D. Feb 18 '16 at 10:55