On Thu, Aug 12, 2010 at 10:30 AM, tedd <t...@sperling.com> wrote:
> At 2:51 PM +0100 8/12/10, Ashley Sheridan wrote:
>> If you are storing the data in a DB, then I'd consider using different
>> levels of access to that via different DB users, which should offer an extra
>> layer of security in protecting the data.
> Of course, the routines I'm writing provide several levels of access for
> different functions/job-duties. However, at some point there will be people
> who will have access to SS# data.
> The real questions here are:
> 1. Is it lawful in the USA to store US SS# in an online database?
> 2. If it is lawful, then what security provisions are required?
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
The worst part of that is that is varies by state (check the MA and NY
laws as the most restrictive), there are no federal guidelines as yet.
However, the data must be stored in an encrypted format and it must be
transmitted via SSL. We do it that way (taking both a hash for
searching for the ssn and the encrypted form) and haven't had any
issues as yet. Some clients are simply refusing to store SSNs for any
person in the system where the address is in MA. The other thing to
consider is that more and more states are looking to encrypt PII data
(name, dob, ssn etc) for more security.
You could consider storing just the encrypted ssn and link data in a
separate database, that would require a different logon to access when
the data is required.
Cat, the other other white meat
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php