I need to save banking account data in a web project. The project is asp.net mvc 3 and the database is MSSQL 2008 R2.
But how should I do that secure?
My solutions are:
Solution: Encrypt the Data with TripleDESCryptoServiceProvider and save them to the Database.
Solution: Save only maybe the last 3 numbers of the account data (like amazon shows you), so that the user will recognize which account data he has saved to the system. Encrypt the entire account data and save them to a different database (maybe with a stored procedure) where the web project has no rights to.
We only need the account data, collect the monthly fees. So we do not need them in the web project. But the user has to recognise which account data he has given to pay the fees.
What are the best solutions?
EDIT:
Thank you all for your replies. I Think we will really use a service provider, that will store the account data and does all the other stuff like Accounts receivable management.
Actually, leading on from my comment - your best bet might be to talk to your payment gateway. A lot of them operate a token system to allow people to collect regular payments without needing to store card details. User enters details once, they get stored at payment gateway, you get back a token, which you can then re-use to perform a repeat payment.
Given that scenario, you could then store just the last 4 digits of the card number: that should be enough for a user to recognise their card again if needed.
They're probably also a good first point of call for information relating to security and storage methods.