Blog post

How come there is no PCI for Bank account data?

By Avivah Litan | May 10, 2010 | 2 Comments

The credit card brands – mainly Visa and MasterCard – have done a good job (depending on your point of view) driving security awareness and system upgrades among most companies that accept or process payment cards by making PCI DSS compliance mandatory.

I’ve often wondered why a similar bank consortium has not exercised the same muscle around the protection of bank account numbers and related data. As a consumer, I’m much more worried about the theft of my bank account information than I am about my credit card data. I have much less protections with most potential robberies of my bank account than I do if someone steals my payment (credit) card. 

Even the crooks value bank account data much more than payment card data. Depending on the exact information stolen record, bank account info sells for at least ten times more than payment card info does in the black market. After all, it’s generally much easier to turn stolen bank account information into cash than it is turning a credit card record into cash.

The answer to this question is quite simple: Visa and MasterCard represent highly organized and centralized payment systems that have lots of enforcement muscle – and a corrollary does not exist on the U.S. bank/deposit account side.  Also, traditionally losses have been much more frequent with payment cards than they have been when it comes to direct assaults to bank accounts.  But that seems to be changing, according to recent data on what banks consider the biggest upcoming threats.

Some of the more far-sighted enterprises I talk to plan to implement data protection around bank account numbers and data as well as payment card data at the same time they implement PCI-related security measures.

It’s a good idea to do that – even if a company is not obligated to do so under any external rules or regulations. Some outsourced payment service providers are starting to offer ‘tokenization’ of bank account numbers in addition to payment card numbers. That’s a good start and is easy for enterprises that outsource payment processing to take advantage of.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Great post!

    From an enterprise point of view, I think many companies are less concerned about their bank account data falling into the wrong hands because it has less external exposure than does payment card data – but this overlooks the threat posed from within the organization.

    Without tight controls on bank account data – including signers and limits – an insider could easily misuse company funds without anyone taking note (Satyam anyone?). This is why a centralized, comprehensive, and secure approach to bank account management is the first step to protecting your bank account data.

  • James Lin says:

    How does one take advantage of bank account data? When I write someone a check, isn’t my account number exposed?