Seven Tips Every Bank and Credit Union Manager Should Know About Securing Online Forms

By Jason Sherrill
Posted on Aug 2, 2007

The second most common question that managers at banks, credit unions and other financial institutions have asked me over the past year is, "What is the best way to secure our online forms, such as loan applications and contact us forms?" Here are a few simple guidelines your development team should follow when creating your online applications.

1. The form must require 128-bit or higher SSL encryption
2. The form must store all form input directly to a SQL database; that database must exist outside of the root website folder, and preferrably on a separate database server not directly accessible via the internet
3. All sensitive form data, such as social security numbers or account numbers, must be encrypted or hashed when stored inside the database
4. Under no circumstances may the form submit sensitive input data through clear-text email, nor may it store any form input data in a folder accessible via the internet (read more about this here)
5. All web-based form viewers must require a username and complex password to view data; form viewers must require 128-bit or higher SSL encryption
6. The form viewer authentication system must maintain a log that captures, at a minimum, the username, logon date & time, logoff date & time and pages accessed during each user session
7. The application must have an automatic data purge routine that fully deletes sensitive form input data from the database no longer than 30 days from the date collected

I recommend that you review your current applications to make sure they meet these minimum security requirements. If they don't, ask your web developer to upgrade them to meet at these criteria, or contact InetSolution and we'll help you.

P.S. The most common question that bank managers ask me is, "How much do you charge?"