none
Storing Social Security Numbers and Credit Card Information RRS feed

  • Question

  • Hello! Quick question!

    Is the encryption good enough to make you trust it with SSNs and CC information?

    If not, can someone please point me to some places where I could find a way to store this kind of information?

    This will be an accdb stored on the local HDD, and will only have a single user locally.


    Mediocre Access 2010 | (Baby) Beginner C Sharp | OK at Active Directory (2012 R2) | Fragmented understanding of DNS/DHCP | Laughable experience with Group Policy | Expert question asker on MSDN Forums

    Friday, May 6, 2016 1:04 PM

Answers

  • If there is no risk of the data being accessed remotely by any means when the user is working, then the risk of unauthorized access is transferred to the computer itself and data wherein. Unauthorized access can still be made if the computer is lost or stolen and you do not properly protect it. Encryption can be used to secure the file, but only as part of an overall security procedure.

    As to the legal aspect of storing this kind of information, I'm not a lawyer, but I suspect that if the computer and the data were not properly secured and an unauthorized breach occurred, you could be open to at least civil legal action from the people whose data was breached.

    Take extreme measures to secure the computer itself and its data.

    Friday, May 6, 2016 5:20 PM

All replies

  • No, no, no! An Access database is NOT secure enough whether it is encrypted or not. Store the data in SQL Server. But first read up on how to secure the SQL database. There are free versions available.

    Bill Mosca
    www.thatlldoit.com
    http://tech.groups.yahoo.com/group/MS_Access_Professionals

    Friday, May 6, 2016 2:45 PM
  • Hi. Much like Bill, I would also discourage storing sensitive information in an Access table. Just my 2 cents...
    Friday, May 6, 2016 3:29 PM
  • Is Access a safe front end for a properly encrypted MS SQL back end?

    Mediocre Access 2010 | (Baby) Beginner C Sharp | OK at Active Directory (2012 R2) | Fragmented understanding of DNS/DHCP | Laughable experience with Group Policy | Expert question asker on MSDN Forums

    Friday, May 6, 2016 3:51 PM
  • I guess it depends on where you are storing such information now.

    As you stated, LOCAL hard drive – not a network.

    I mean, you can type such info into a word document, a text document, or into Access. All 3 at this point may, or may not be secure enough for your needs.

    I mean, is this setup more secure than some file cabinet with a bunch of paper that anyone can open and look at.

    So you have to “define” the security goals. I mean, you can encrypt an access database, and if someone has the password to open the database, then what much does the encryption do?

    I mean, same goes for using SQL server. If everyone has rights to the SQL server or the password, then again you have little security in such a sense.

    And since you not talking about a network, then people can grab the made SQL file and read it directly.

    So “encryption” on its own often is not much security. And adopting SQL server in which everyone has the password also helps little in this regards.

    And OFTEN one adopts SQL server since users then don’t have the ability to read/open/copy/use the actual made (database) file. However, given you talking about a stand-alone computer, then users will be able to grab + copy + open the data file without even launching SQL server.

    So I guess this often comes down to company policies and issues that go beyond security.

    And I can’t say that running SQL server on your laptop as opposed to Access is going to be that much more secure.

    Regards,

    Albert D. Kallal (Access MVP)

    Edmonton, Alberta Canada

    Friday, May 6, 2016 3:55 PM
  • So in your case, because a server is not available, physical security trumps encryption? The computer in question will be physically secure and there will be one user that accesses the data.

    I suppose my main deal is keeping it legal. I thought there were legal requirements for storing sensitive data of this type.

    I am sure the US differs from Canada in this respect although.


    Mediocre Access 2010 | (Baby) Beginner C Sharp | OK at Active Directory (2012 R2) | Fragmented understanding of DNS/DHCP | Laughable experience with Group Policy | Expert question asker on MSDN Forums

    Friday, May 6, 2016 4:07 PM
  • If there is no risk of the data being accessed remotely by any means when the user is working, then the risk of unauthorized access is transferred to the computer itself and data wherein. Unauthorized access can still be made if the computer is lost or stolen and you do not properly protect it. Encryption can be used to secure the file, but only as part of an overall security procedure.

    As to the legal aspect of storing this kind of information, I'm not a lawyer, but I suspect that if the computer and the data were not properly secured and an unauthorized breach occurred, you could be open to at least civil legal action from the people whose data was breached.

    Take extreme measures to secure the computer itself and its data.

    Friday, May 6, 2016 5:20 PM