Can I request a member's bank account info through email?

[imgrooot]

I have been doing some research and I found out that it's a really really bad idea to store users' sensitive information in a database. 

 

Here's what I am trying to do.

 

1. Request a member's bank account info.

2. Make a direct deposit into their bank account from my bank account. This is done online through my bank's website.

 

My question is, if I can't store the member's bank account info in the database, can I at least request them to send it through an email? From there I can put it in excel sheet offline for storage and use that to make direct bank deposits to their account(s). Or is that illegal? If it is, then what's the best way to do this?

[requinix]

Simply by virtue of working with other people's bank account information, you should talk to a lawyer.

 

The information must be safe in transit, not just in storage. Pretty sure email does not count as safe. And you have to worry about server environment, both physically and virtually.

 

Look through PCI compliance requirements - it's for credit card information, but the principles should at least apply to bank account information too.

[Phi11W]

I have been doing some research and I found out that it's a really really bad idea to store users' sensitive information in a database. 

 

Here's what I am trying to do.

 

1. Request a member's bank account info.

2. Make a direct deposit into their bank account from my bank account. This is done online through my bank's website.

 

My question is, if I can't store the member's bank account info in the database, can I at least request them to send it through an email? From there I can put it in excel sheet offline for storage and use that to make direct bank deposits to their account(s). Or is that illegal? If it is, then what's the best way to do this?

 

It's a really really bad idea to store users' sensitive information in a database badly.

Oftentimes, you can't avoid needing this data, but you have to be very, very careful with it. 

 

Nobody (with any sense) is going to send you their bank account details by email. 

People have been bombarded by that kind of "phishing" nonsense from various countries around the world for [almost] as long as the Internet has existed! 

 

If you intend to do anything with anybody's bank account, then you need to retain records of having done so and that means that you absolutely have to have their bank account number.  How you acquire and store it is largely up to you but if you're not [strongly] encrypting it in transit (i.e. an https web site) and in the database then, frankly, you're just asking for trouble. 

 

Don;t even think about Excel.  

It's a useful tool for crunching numbers but it is no substitute for a proper database.

 

Regards,   Phill  W.

[Sepodati]

Never store anything relating to bank information yourself. Use something like Stripe. I'm sure there are others, but that's the one I'm familiar with.

[imgrooot]

Judging from what you all said, I should avoid collecting users' bank info on my own. Fair point. And I have looked at Stripe and it's not the exact solution I am looking for. 

 

The I guess I have two other ways to do this. Western Union and E-wallet.  Do you have suggestions to a reputable international e-wallet? By e-wallet, I don't mean a bitcoin wallet.

[requinix]

What exactly is this process? Why are (were) people going to give you bank info and why were you going to send them money? Are you basically looking for a way to send people money?

[imgrooot]

What exactly is this process? Why are (were) people going to give you bank info and why were you going to send them money? Are you basically looking for a way to send people money?

 

I can't go into details about the whole process. But in short, yes I am looking to send people the money, not only in North America but internationally. I would like to know what the best option would be for that.

[requinix]

I, for one, am more familiar with ways to receive money, not send it...

 

PayPal is an easy answer.

[imgrooot]

I, for one, am more familiar with ways to receive money, not send it...

 

PayPal is an easy answer.

 

PayPal is terrible from what i've heard. Also PayPal doesn't accept the type of business I'm trying to do.

[kicken]

You should check with whatever service provider you are using to send the money to see if the support capturing the information on their end then giving you a token. Most payment processors can do this for credit card data so that you can let them worry about storing it and dealing with PCI and you just need to keep the token/your account secure.

[imgrooot]

You should check with whatever service provider you are using to send the money to see if the support capturing the information on their end then giving you a token. Most payment processors can do this for credit card data so that you can let them worry about storing it and dealing with PCI and you just need to keep the token/your account secure.

 

That is one of the methods I am looking into. 

[data888]

I have been doing some research and I found out that it's a really really bad idea to store users' sensitive information in a database. 

 

Here's what I am trying to do.

 

1. Request a member's bank account info.

2. Make a direct deposit into their bank account from my bank account. This is done online through my bank's website.

 

My question is, if I can't store the member's bank account info in the database, can I at least request them to send it through an email? From there I can put it in excel sheet offline for storage and use that to make direct bank deposits to their account(s). Or is that illegal? If it is, then what's the best way to do this?

It isn't illegal. There often are websites that request and store financial information... there has to be a business need for it though and you have to store it responsibly and obviously obtain their consent. Regardless, if you get hacked and should a customer incur some sort of economic injury, you may be liable if you get sued and were negligent somewhere. If you are simply just collecting the data to store offline for some sort of authorized usage, a form might be a more familiar/normal method compared to having them email the info. Bitcoin can be an alternative but it does have its risk.