Taking SSN & Drivers License # + Pictures Using an online form?

A client wants me to build a rental form for his expensive equipment. Some of the fields he wants is space for social security number, social security card picture upload, drivers license number and drivers license picture upload. I know if you take a credit card # online, you get hammered if you are not pci compliant, but are there any liability issues when taking this kind of information? Any help greatly appreciated.

Speaking strictly as a consumer, and more ‘technically savvy’ than the average user, I would NEVER provide that information on a web form.
I suspect your client will have a difficult time getting people to use such a system - after paying you (I hope) to construct it.

Your due diligence may be to advise the client to poll their users and prospective users on how they would receive such a service.

solid advice, thanks. From a legal standpoint, is there anything wrong with this at all?

First off, I agree with ParkinT - any site that wanted that would be an immediate “Oh, H-E-double hockeysticks NO!”

Absolutely. Carrying that information and keeping it on a web accessible server is not only pushing the boundaries of PCI compliance, the company is just daring identity thieves to attack your site at will - everything being asked for is fodder for identity thieves.

I’m also not sure that copies of social security cards are even legal if not being used for proof of eligibility to work…that would be something that should be checked with a lawyer (as should the rest of these ideas).

There is no legitimate reason for him to ask for SS#s, credit card info sure, maybe a telephone number, but not SS#s

For that matter, why a drivers license? I can see if it was an in-person check, but online?

Sounds way too dodgy to me.

If he is doing background checks there are legit reasons to ask for SSNs and DLNs. I think storing images of drivers licenses can be a no-no depending on locale too.

That said, I would try to avoid handling that stuff at all. You are just asking for identity theft. A good way to scare the client out of this would be to do due dillignence on the level of hosting you’d need to support this – including dedicated servers and 24x7 monitoring by skilled, live, humans. It won’t be cheap and might scare them off of this.

How I would handle it web-wise is I’d accept people’s applications subject to “in-store approval.” How many do they reject now-a-days?