Best practices when adding a new receive-only customer to my account

Hi, so right now I am trying to add new receive-only customers to my account with their funding sources using my own UI, What is the best practice when doing that? Do I have to encrypt the bank information before sending them to my server and then decrypt them later when it hit my server? (I did not use Dwolla.js in the frontend)

Also, I want to let customers be able to view what their “saved” routing and account number look like, however, I see that Dwolla has no API to fetch this information. So I would have to store this information in my database, what would be the best way to do this? Let’s say the number is 121234561234, Should I only store the first few digits 12 and last few digits 1234 in the database, and make it look like 12*****1234 in the frontend? Or should I store the whole number and encrypt it in my database then present it like 12*******1234?

Please let me know what the best practices for these are because I am not familiar with processing sensitive data and would appreciate any help and advice. Thanks!

Hi @Smith_W!

We need to ensure that sensitive information, such as PII, is being encrypted both in-transit and at-rest. Other than that, storing the full account number vs just the first and last few is dependent upon your use case. If you will only ever be using the account number to display a masked number to your users, then you may want to store just the masked number in an encrypted form.

For more detailed information on encryption, please refer to the integration guide found in your Production dashboard’s Launchpad.

1 Like

Hi Shreya, thats some good advice you gave there, definitely learnt a lot. Also, since you advice to encrypt the data (routing number and account number) before sent to server to be added to funding source, what encryption npm library would you suggest I use in the frontend? (I do not have access to production account right now since it is not my own business, I am just helping to develop)
Again thanks for the advice.

Hi Smith,

I’m afraid I do not have any suggestions on an npm library for encryption. However, I’ve sent you a message with the text from our integration guide which talks about the encryption standards we look for! Hope that helps!

1 Like

Thanks, it helps a ton.

1 Like

Hi Shreya,
I have a follow-up question on this, if we decide we want to only store the last 3 or 4 digits of the routing number and account number for them to be able to at least identify their account, do we have to encrypt those 3 or 4 digits at rest as well?
I also sent this message in private as well just in case you didn’t see. Thanks!

Posting the answer here for reference:

The issue is that ACH account numbers do not have a defined length and can be as short as 4 digits in some cases. I would say the safe bet is to encrypt when storing any part of the account number.