April 21, 2021

Best practice and standards for US Social Security Numbers?

I have a new client in the education industry that is trying to take their application process online. Because governmental financial aid is part of their program, collecting SSNs is required. I primarily work in the ecommerce and supply chain space and have years of PCI compliance and dealing with CC#s but this SSN thing is a whole new animal.

With that, I am having a hard time finding best practices we can use to ensure we are not opening ourselves up to neglect and that we are as responsible and ethical is we possibly can. Where should I be doing my research?

Do SSN fall under ISO? NIST? HIPPA?

Just need to be pointed in the right direction. Thanks!

edit: To help put my vauge question into a little more context. I am looking for the security standards for collecting SSN online as in: A **security** standard is “a published specification that establishes a common language, and contains a technical specification or other precise criteria and is designed to be used consistently, as a rule, a guideline, or a definition.”



There’s so much missing from this post no one can give you a worthwhile answer. Do yourself and your company a favor, if you are actually doing this for a production system then you should be on contact with an attorney or at least a security compliance expert that can guide you through all the regulatory compliance requirements you may have for your industry and use case. Your required controls will vary widely depending on jurisdiction, industry, maybe even your own insurer…


ISO and NIST are just frameworks, not regulations. HIPAA does have a lot to say about SSN, but only in the context of payer/provider/clearinghouse relationships. You’d probably want to check with what the privacy laws in applicable jurisdictions have to say.

Generally, treating it like PCI protected data will probably cover most of your need.


Start with the statutory, regulatory and contractual requirements for this data and go from there.

If that proves time-consuming, consider talking to your lawyer or the client’s lawyer.


They are PII and covered by a ton of different privacy and breach notification laws. If you have to collect them, encrypt them at rest and during transmission. If you want a more specific answer, you would need to provide quite a bit more information than I would recommend on a public post on any website.

My recommendation is to contact a security company that can advise you. But I am biased as I own one. :)

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.