Guidelines for Developing and Hosting Secure Online Forms for Banks and Credit Unions
InetSolution provides not only secure website hosting for banking sites, but we also provide application development and security consulting. Even with all of the security awareness present in the financial industry, the overwhelming majority of banks and credit unions that fail our basic website form security audit. At a bare minimum, any form that collects information from visitors to your website should meet these criteria.
- The page on which the form resides must force the browser into 128-bit or higher SSL encryption. Attempts to load the page in a regular HTTP context should automatically redirect the browser to an HTTPS connection. This should be done server side rather than client-side to prevent overrides.
- The form should store all input directly to a database. That database must exist outside of the root website folder and preferably on a separate database server not directly accessible via the Internet.
- All sensitive form data, such as social security numbers or account numbers, must be encrypted using strong encryption when stored inside the database. The data should always remain encrypted while at rest using a security product like our MemberProtect®.
- Under no circumstances may the form transmit sensitive input data through clear-text email, nor may it store any form data in a folder accessible via the internet. This includes activity logs and error reports stored on the file system as text files.
- All form viewers must require a username and complex password to view data; form viewers must require 128-bit or higher SSL encryption. Ideally the form viewers will use risk based authentication measures to further protect access.
- The form viewer authentication system must maintain a log that captures, at a minimum, the user, logon date & time, logoff date & time and pages accessed during each user session.
- The application must have an automatic data purge routine that fully deletes sensitive form input data from the database no longer than 30 days from the date collected. We recommend seven days.
- Code exploitation is a leading cause of data theft and destruction in web-enabled applications. All applications that accept and store personally identifiable customer data must be tested for SQL Injection, Cross-Site Scripting and other known security vulnerabilities common to web applications.
This is not an exhaustive list and several of the concepts, especially number eight, are topics that require even more in-depth analysis and evaluation criteria. But since such a small percentage of bank, credit union and e-commerce websites achieve even 25% of the items on this list, you should immediately evaluate any forms on your website today to determine if they meet these nine criteria.
If your forms are hosted by a third-party, as many small bank and credit union applications are, do not assume that your provider meets or even knows about these criteria. Our experience has been that most third-party hosted forms do not score any better than self-hosted forms.