Login/Register
Storing SEPA (IBAN and BIC) data - requires PCI compliance?
Asked Answered
Solved pci-compliancepci-dssiban
W

1

6

we would like to use a banking API to do SEPA transfers from our bank account to the user's bank account. For that the user needs to enter his IBAN and BIC into the form. We take those data (SSL secured) and transfer the money using the banking REST API. If we get a Success response, we show the user a message that the money was transferred to his account.

During the whole process we do not store the IBAN or BIC anywhere in local variables neither in the database. The connection to the fidor API is secure.

So there are the following questions: 1. Do SEPA data in general need PCI compliance? 2. If yes, would we need to be PCI compliant for the usecase above? Because we never store any of the data.

I tried to find information about this on google without success. If you have had the same usecase I would be very thankful if you could share your experience. Also if you have link about this topic I would also highly appreciate it.

Thanks in advance!

Wheat answered 25/11, 2016 at 7:5 Comment(0)
S
8

IBAN and BIC are not secret information, so PCI DSS does not apply.

Slapjack answered 6/2, 2017 at 14:9 Comment(2)
Official Source: pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/…Undergrowth
@Undergrowth That document, while being of an unknown source, reads differently to me. IBAN may be covered by that regulation and secure handling is "strongly recommended" anyway. Whatever appropriate measures for handling or storing such data might be. I'll probably encrypt the data in my database with a key stored in a separate file. That's as far as I can go without preventing the service.Gombosi

© 2022 - 2024 — McMap. All rights reserved.