Re: Banking and state regulations regarding the transmission of banking routing/account information

["Al" <macwheel99 () wowway com>]

As a general rule, I would say you should NOT send ANY banking info via the
Internet per se,

Rather you should be using a system like VPN, which comes with encryption &
passwords.

 

To ask what the rules are for sending the info via Internet, is like asking
what the rules are for painting your credit card info on the side of your
building, or on your forehead, for everyone to see . there are no such
rules, because no one is supposed to be doing that.

 

Start with PCI contract if you are handling credit card information on any
customers.

Your company should have a contract with the bank.

Here are the regulations imposed by PCI.

Build and Maintain a Secure Network Compliance

Requirement 1: Install and maintain a firewall configuration to protect
data. 

Requirement 2: Do not use vendor-supplied defaults for system passwords and
other security parameters. 

Protect Cardholder Data

Requirement 3: Protect stored data. 

Requirement 4: Encrypt transmission of cardholder data and sensitive
information across public networks. 

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update AV. 

Requirement 6: Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

Requirement 7: Restrict access to data by business need-to-know. 

Requirement 8: Assign a unique ID to each person with computer access. 

Requirement 9: Restrict physical access to cardholder data. 

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and
cardholder data.

Requirement 11: Regularly test security systems and processes. 

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security. 

Each bank and credit card company adds its own additional regulations to the
PCI standards.

You need to check the contracts you have with them.

 

Here are web sites with info regarding some of the legal ramifications, and
what your goals should be.  We can add more links like this.

http://pcianswers.com/2009/01/21/what-pci-compliance-really-means/ 

http://infoseccompliance.blogspot.com/2008/02/legal-implications-risks-and-p
roblems.html 

http://infoseccompliance.com/2009/04/02/who-is-minding-the-legal-risk-around
-pci/

http://www.pcicomplianceguide.org/iso-acquirer-20080930-legal-rights-pci-com
pliance.php 

 

The laws vary by state and nation.  You are covered by whatever laws for
your location, your bank's location, locations of any customers or vendors
whose banking info is in the transmissions.

 

-

Al Mac

  _____  

From: dataloss-bounces () datalossdb org
[mailto:dataloss-bounces () datalossdb org] On Behalf Of fzbrick
Sent: Thursday, April 16, 2009 3:02 PM
To: dataloss () datalossdb org
Subject: [Dataloss] Banking and state regulations regarding the
transmissionof banking routing/account information

 

Hi,

Is anyone aware of written regulations regarding how bank routing and
account information should be transmitted over the internet?

Intuitively, it needs to be encrypted, however what seems clear to others
isn't to others.  I need a banking regulation, federal law, or banking
requirement that says

"Bank Routing and Account information shall be encrypted".

Sorry, I am dealing with difficult people, who will not believe me, and need
it spelled out to them in near comic book form.

Thanks



_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss