Email bank account information from form
A client wants a registration form on their website which contains, among other fields, spaces for bank account information (including sort code and account number). The form will not submit the data to a database, so there is no storage of this information, but it will email the client with this information.
My question is, what are the security issues with emailing bank account information, and are there any accepted protocols / methods for maximising security?
Data security is vital for everybody dealing with payment data, because nothing is more important than keeping this kind of data as secure as possible. Bank account information definitely are to be dealt with highest care.
What are the security issues with emailing bank account information?
Well, everybody with access to this email (may it be the email provider or whoever is hacking into the SMTP traffic) can read the data. Therefore it is a big security issue, since you cannot control who has access to this. And you have even less control over what people do with this data.
Advice is not very easy to give here, this highly depends alot on what you have to code and which is the system enviroment, therefore my advice is only in a very general sense:
- Don't send bank information data via email.
- Use highly encrypted methods (SSL/HTTPS).
- Always have control over who has access to this kind of data.
- Ask questions, like: If you don't want to store the data, to what purpose do you want to send it via email?
This list can go on and on.
There are some very extensive standards out there. For this kind of data, I recommend following the advices given in PCI DSS. Its main purpose is protecting card data, but its recommendations are also applicable to other topics.