pci-compliancepci-dssbanking

Can I store user bank details without PCI compliance?


We are working on a project its nature is somewhat ride sharing , I read about PCI Compliance i know we have to be PCI Compliance if we are dealing with credit card or payment i am a little ambiguous do we store our drivers bank info like Account number(encrypted) , Account title etc in database , i have read about

Who must be PCI compliant? "If you accept credit cards from your customers, then you must be PCI compliant" reference

so if we store only bank account numbers not credit card we must have to be PCI compliance.


Solution

  • You do not have to be PCI compliant as, you already have pointed out, that you do not handle credit card information. PCI DSS, which standards for Payment Card Industry Data Security Standard, only governs credit card data. ACH/Bank account information clearly does not fall under their purview.

    However, there are rules around ACH/Bank account data governed by NACHA. You do fall under their scope and must obey their standards. So, essentially, there are a set of standards similar to PCI that must follow. So if you were hoping to avoid scrutiny and regulation you are out of luck.

    You also may be governed by the laws of where your data is stored as well as where you operate. You would need to speak to a lawyer to get more information about that.