Accepting bank account information in a form
What security concerns are there when accepting a user's bank account information (account number and routing number) via a form on a page that is using SSL, and posting it back to the server where I then curl off a HTTPS request to send that information to an ACH service like First ACH or ACH Direct via their API?
We wouldn't be saving the bank account information in our database. I know another option is to use Paypal's Mass Pay API, but they think it's unprofessional (at least for their business) to require customers to have a paypal account to get paid.
Lots of security concerns here. Even if you aren't subject to regulatory statutes (depends on your business) I can think of quite a few. I'll type till I'm tired of it.
- Are your servers secure? Locked in cages, secure site, two-person access, patched, audited and scanned with intrusion detection, and so on. This is the most likely thing you've got to worry about. If you think they are, they're probably not.
- Is the network secure all the way down? Even stupid things like a plan to make sure your domain name doesn't expire is important. Do you have automated controls for shutting down the site in case of intrusion?
- Is your software secure? Auditing by a third party for security problems is a must. Don't skimp on this. From the front end (CSS attacks) to the back end, everything needs to be locked solid.
- Is your development cycle secure? Dual-person controls on the software. Don't let your developers patch the servers, or deploy code without a code review. Admins need monitoring too.
- Everything needs to be encrypted. Better to not store the account numbers at all. If you do store them, encrypt them and keep the keys elsewhere.
... okay, I'm tired.
Not to rain on this parade, but if you have to ask about this kind of thing on SO, you're really not prepared to do this. Buy a solution, hire a professional in the field, or spend a lot of time studying this problem and have someone audit what you're doing.
You use SSL on both streams and you don't store. I'd say there are no concerns, just keep your server well guarded and use strong crypto.
Should someone manage to get access on your server you could be in trouble, but that's pretty much true for every kind of online financial transaction.
Lyons offers an "account verification" API which might work: http://www.lyonsreg.com/products/account-verification.asp
Your design sounds relatively sound. The main issue is that your web application has to be running in a secure environment, which I'm guessing you don't have a lot of control over if you're hosted.
Ask you hosting company if they are PCI-DSS compliant. If they can hit that bar then you're probably in good hands.