---

@d46j48fx wrote:

Hi!  I would very much appreciate community input as to how to handle banking instructions securely.

A new payment workflow is being hashed out by Accounts Receivable at my organisation and the piece thrown over the fence to me is "how do we securely receive John/Jane Doe's banking information that is sent to us via in PDF format?"  Also, " How do we securely store this information in such a way that we have an audit trail for "customer disputes" and internal auditing of access to and disposal of this sensitive information?  What have you used to fulfill similar requests? Shameless plugging of a particular solution that worked for you is allowed because, to coin a phrase, "I got nothing" 🙂  Any input that will help this baptism of fire into what I suspect are the murky waters of PCI-DSS would be much appreciated!

---

Derek,

I can only offer some thought and questions to help crystallize your situation, but the answers may help others give you advice based on actual experience.

 

1. Who is providing the banking information, the bank or the individual customer?

2. How is the information being generated into a PDF, and by what entity?

3. Is the PDF a full text document, or simply an image of the text contained in a PDF file?

4. Has the transmittal process for the PDF already been defined? If so, what is that  method? Obviously, e-mail is a completely unsatisfactory method unless both parties have a properly managed encrypted e-mail system in place.

5. Is your company committed to all in-house IT, all cloud-based, or hybrid IT? That level of architecture can make a big difference in how you approach #6, below.

6. You said you need an auditable access record system. This implies you must have a restricted access, encrypted database, preferably with row-level encryption, with full data leak protection (DLP) logging in place. Such a system is more complex, with greater dual-level sysadmin requirements than a general access SQL database. There are commercial products available, but not cheap. I know Oracle has such, but have not worked with their product in over 5 years, so cannot comment on them or their competitors.

 

My notes above are not exhaustive to your problem, but I hope they help you frame your approach to your analysis.

 

Good luck,

 

Craig

 

You mentioned banking details and PCI DSS. If you're handling cardholder data (the acid test here is any more than the first six and last four digits of a payment card number) then PCI DSS is in play and you could do worse than look at the resources on PCIsecuritystandards.org. Note that the standard is very prescriptive.
If it's other banking details then there may be more scope for assessing and managing the risks, subject to whatever legislation is in force in your locality - don't forget that banking details are personal data as well as financial so your neighbourhood data protection authority will have advice available too.
Transfer by email (as the good doctor pointed out) is generally a lousy idea but depending on volume and risk level it may have its place, though never for payment card information. If the bank details are for B2B transactions then your duty of care may already be defined in the terms of business. If they're for B2C then generally you will own the issue of protecting the data almost exclusively.
Solutions will have to depend on volume, risk and the level of auditability/accountability required.
No specifics here I'm afraid but you'll do yourself a huge favour if you establish the context first and agree with your stakeholders what good, bad and adequate look like, now and in the medium-term.
Hope this helps a bit.
Best of luck!
Tim

Hi, @CraginS and @TimG,

 

Firstly, please accept my apologies for the late acknowledgement and reply to your responses.

 

Thank you very much for your assistance with my query. 

 

As I began to dig deeper into what was required, it became clear that what they were asking for was a secure file exchange solution to facilitate a C-19 induced shift to EFT payment of our vendors.  They wanted to be able to upload a "banking details" form to an area only accessible by a vendor and our Accounts Payable (AP)  staff.  The vendor would download the form and complete it with information that would enable AP to pay them via EFT as opposed to a check; a one-time process unless EFT details were to change.  AP would "pick up" the completed form, enter it into their system and, continue their AP workflow.  AP has been advised (by myself and our legal department) that they will need to implement an out-of-band verification of any information to reduce the risk of fraudulent information being ingested.  To facilitate the above ask, we went with Citrix ShareFile.

Thanks again...and Fingers crossed.

 

Derek