7Ağu
Collecting banking, credit-card statements from users
I want to build a service that collects user spending history with their permission. Users would send over (banking, credit card) account statements and I would extract, store the following information:
- Date
- Description of transaction
- Amount
- Account balance
Unfortunately, I noticed that credit card statements also contain the following information:
- The person's name
- The credit card number
- The banking institution's phone number
I do not store the latter information but it does travel through my system. If anyone were to gain access to the server that extracts this information, they could retain a copy.
I have the following questions:
- Is there a way to collect the desired information without risking the person's personal information?
- Can someone spend the user's money with this information? (If so, how?)
- Does my service have to be pci-compliant? I am processing information that contains the user's credit card number but (1) The client willingly handed it to me (2) I am not extracting this number (3) I am not a credit card company, a merchant, nor their supplier (4) I did not sign a PCI contract, nor do I believe I will have to do so.
- As far as I can tell, users are not liable for unauthorized spending on the their credit card and banking accounts so long as they do not give out their password (which they are not). In the case of unauthorized spending, is the user or my service liable for any lost funds?
