Summary of answers:
Don't do it. The legal and financial implications will be disastrous. Look for established third party solutions or hire an expert. Never store any sensitive information on a shared server. Research for the most appropriate encryption mechanism.
I am buiding a website for a customer that needs to store his clients' bank info (routing + account number) in the db for direct deposit. Here are some specifics:
1) The website will initially be on a shared hosting server (this is my first concern).
2) I am using PHP/MySQL.
3) I plan on using mcrypt.
4) The key will be located outside the web root.
Please let me know your thoughts. If possible, please provide me with some resources on ACH processing.
Thanks!
EDIT: I expected such response as I am terrified of security issues out there also. I have expressed my concern to my customer and this will be a good support.
EDIT 2: Will walk away from this. Was not happy with the idea in the first place! Will investigate PayPal's Mass Payment API.
You can use a password manager such as Keepass, which is available on a variety of laptop and mobile device platforms. You could also use GPG (GNU Privacy Guard) to create AES-256 encrypted files which store the sensitive information.
Answer: MySQL is a popular database for banking systems because it has all the features needed for the project. Large businesses usually choose SQL Server, Oracle, IBM, and other vendors because they have advanced features and (most importantly) commercial support.
INTEGER . This uses 4 bytes of storage.
Authentication It also applies to bank employees who have access to customers' and banks' data. While earlier authentication simply required an ID and a password or PIN, many banks have now implemented two-factor and multi-factor authentication to ensure that the person is actually who he/she claims to be.
I think you can solve this problem without storing any bank information yourself through using something like Paypal's Mass Payment API. That way, your client can pay people, and PayPal stores all the information so you don't have to.
If you want to read about all of the steps you need to take to even have a remote possiblity of securing your client's sensitive financial data, google 'PCI Compliance'
If you're not deathly afraid of storing financial data online, you're horribly naive.
1) The website will initially be on a shared hosting server (this is my first concern). --REALLY BAD. Not having absolute administrative control over the server, and be able to keep other people out is a really big problem.
I would be really concerned that you're directly accessing the database from the front end web server. That's a big no-no with financial data.
Even if you have the strongest encryption algorithm ever, what's to prevent someone from hijacking your system and using it to decrypt the data for them. They won't need the key, they'll just need your application to do the work for them. This is assuming you're using a single key to encrypt and decrypt the data or you are retrieving the data from the db to show to the users of the system.
Ok here's the thing. If you have to ask these questions, you don't have the technical expertise to do this correctly. I'm not trying to sound mean, it's just a fact. I would go work with a group of seasoned people who do this professionaly first. There will be a lot of things that aren't mentioned here that will need to be taken into consideration. there' a lot of stuff about security that isn't written down per se. Things that you won't pick up on from reading a book. This is a really hard thing to build, becuase there are big rewards to people who break into financial systems.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With