1

I need to save banking account data in a web project. The project is asp.net mvc 3 and the database is MSSQL 2008 R2.

But how should I do that secure?

My solutions are:

  1. Solution: Encrypt the Data with TripleDESCryptoServiceProvider and save them to the Database.

  2. Solution: Save only maybe the last 3 numbers of the account data (like amazon shows you), so that the user will recognize which account data he has saved to the system. Encrypt the entire account data and save them to a different database (maybe with a stored procedure) where the web project has no rights to.

We only need the account data, collect the monthly fees. So we do not need them in the web project. But the user has to recognise which account data he has given to pay the fees.

What are the best solutions?

EDIT:

Thank you all for your replies. I Think we will really use a service provider, that will store the account data and does all the other stuff like Accounts receivable management.

Chris
  • 1,610
  • 3
  • 18
  • 37
  • 3
    Not an answer, but remember to consider any applicable laws governing storage of banking data where you are. For instance, in the UK, you cannot store card details without some pretty serious (physical) security measures. – Tom Morgan Jan 25 '12 at 10:31
  • 3
    I would *strongly* advise you not rely (completely) on a Q/A site for this information. Getting this wrong could have serious legal/financial consequences. You should be sure to study the relevant PCI or similar standards of your nation/industry. – Andrew Barber Jan 25 '12 at 10:33
  • 1
    Yeah; What @TomMorgan said. I'm leaving my comment too, just to emphasize it. If this is for a small company, they can't afford the cost of a single breach. If this is for a big company, there's no excuse not to have someone familiar working on this sort of thing. – Andrew Barber Jan 25 '12 at 10:34
  • The best solution by far is to use a third-party service and pay their fees. With user account data on it, your DB server immediately becomes a treasure trove for hackers. Saving the fees is simply not worth your time and effort. – Sergey Kalinichenko Jan 25 '12 at 10:34
  • Consider contracting a specialist if this is not your field. Your users and your company lawyer will thank you. – Cheekysoft Jan 25 '12 at 14:46

2 Answers2

3

Actually, leading on from my comment - your best bet might be to talk to your payment gateway. A lot of them operate a token system to allow people to collect regular payments without needing to store card details. User enters details once, they get stored at payment gateway, you get back a token, which you can then re-use to perform a repeat payment.

Given that scenario, you could then store just the last 4 digits of the card number: that should be enough for a user to recognise their card again if needed.

They're probably also a good first point of call for information relating to security and storage methods.

Tom Morgan
  • 2,355
  • 18
  • 29
0

I suppose it boils down to who needs to access your bank numbers after you have saved them.

If they are saved by your web app and then read by another private application my recommendation would be to encrypt the results in the site with a public key and only have the private decryption key avaliable in your other application. This means that even if your db is compromised they will also need your private key to access the data. Store this somewhere else.

As others have said the best solution is to avoid storing the data at all if possible

undefined
  • 33,537
  • 22
  • 129
  • 198