> -----Original Message----- > From: tedd [mailto:tedd@xxxxxxxxxxxx] > Sent: Thursday, August 12, 2010 7:30 AM > To: ash@xxxxxxxxxxxxxxxxxxxx > Cc: php-general@xxxxxxxxxxxxx > Subject: RE: Storing Social Security Number WAS: > Encryption/Decryption Question > > At 2:51 PM +0100 8/12/10, Ashley Sheridan wrote: > >If you are storing the data in a DB, then I'd consider using different > >levels of access to that via different DB users, which should offer an > >extra layer of security in protecting the data. > > Of course, the routines I'm writing provide several levels of access for > different functions/job-duties. However, at some point there will be people > who will have access to SS# data. > > The real questions here are: > > 1. Is it lawful in the USA to store US SS# in an online database? > > 2. If it is lawful, then what security provisions are required? > > Cheers, > > tedd > > -- > ------- > http://sperling.com/ > Tedd, I don't think it's unlawful according to the links below: http://www.ssa.gov/kc/id_practices_best.htm http://www.wireless.att.com/learn/basics/shopping-faqs.jsp#05 If your client accepts credit card as a form of payment for collection and if you comply with PCI DSS, then you're pretty much safe. (IIRC, it's not cheap to be certified by PCI DSS but you can still put their requirements in practice without having to qualify unless the client's business requires it). Regards, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
