We recommend that credit card numbers, social security numbers, tax ID numbers and EFT bank account numbers be masked at all times unless a user has a specific need to see this information to perform their job duties. This means all screens, reports, queries, and exports should mask the data unless a direct need is indicated. The cases listed below demonstrate when a user would need access to the information.

Data Entry

  • Credit Card number
    • A credit card number can be entered in a payment record. A data entry user needs to be able to see a credit card number in the record when entering the information, but does not need to see the number when editing a record.
    • The Payment Card Industry (PCI) Data Securities Standard state that a Credit Card authorization number should not be stored on records. It is best to not enter the number into the Financial Edge at all. If the authorization number must be entered until it is used to verify a payment, we recommend that the number is removed upon confirmation.
      For more information referencing PCI standards, please refer to PCI Security Standards Council.
  • Bank account number
    • EFT bank account numbers can be entered only if the optional EFT module is in unlocked. The EFT Bank account number can be accessed via a vendor record, client record, employee record, or student record. A data entry user needs to be able to see the EFT bank account number in the record when entering the information, but does not need to see the number when editing a record.
  • Social security number
    • Social security numbers can be entered in an employee record, student record, and vendor record (as a tax ID number). A data entry user needs to be able to see the social security number in the record when entering the information, but does not need to see the number when editing a record.
  • Tax ID number
    • Tax ID numbers can be entered only in a vendor record. A data entry user needs to be able to see the tax ID number in the record when entering the information, but does not need to see the number when editing a record.

Direct Debit Processing

  • EFT bank account number
    • When processing EFT transactions, a user does not really need to see EFT bank information. The main need for viewing bank account numbers is for exception processing. Users who need to handle exception processing should be given view rights.
  • Social Security Number
    • Social security numbers are not used in EFT processing.

View/Data Validation

Credit card number/social security number/tax ID number/EFT Bank Account number

  • A user who validates data entered does need access to full credit card, social security, tax ID, or EFT bank account numbers. This may or may not be the person who actually enters the data.