zlacker

[parent] [thread] 6 comments
1. saberi+(OP)[view] [source] 2025-11-13 11:32:39
Passport or ID card scans would never be be stored alongside general KYB information, e.g. the standard forms PSPs use.

If you read between the lines of the verbiage here, it looks like a general archived dropbox of stuff like PDF documents which the onboarding team used.

Since GDPR etc, items like passports, driving license data etc, has been kept in far more secure areas that low-level staff (e.g. people doing merchant onboarding) won't have easy access to.

I could be wrong but I would be fairly surprised if JPGs of passports were kept alongside docx files of merchant onboarding questionnaires.

replies(2): >>global+X2 >>nebezb+s7
2. global+X2[view] [source] 2025-11-13 11:58:08
>>saberi+(OP)
docx files of merchant onboarding questionnaires

Why would merchants fill out docx files? They would submit an online form with their business, director and UBO details, that data would be stored in the Checkout.com merchants database, and any supporting documents like passport scans would be stored in a cloud storage system, just like the one that got hacked.

If it was just some internal PDFs used by the onboarding team, probably they wouldn't make such a big announcement.

replies(2): >>bostik+f9 >>saberi+Jl
3. nebezb+s7[view] [source] 2025-11-13 12:32:21
>>saberi+(OP)
> Passport or ID card scans would never be be stored alongside general KYB information

How do you qualify this statement? Did you mean “should never”? Even then, you’re likely overstating things. Nothing prevents co-locating KYC/KYB information. On the contrary, most businesses conducting KYB are required to conduct UBO and they’re trained to combine them both. Register as a director/officer with any FSI in North America and you’ll see.

replies(1): >>saberi+ns
◧◩
4. bostik+f9[view] [source] [discussion] 2025-11-13 12:46:34
>>global+X2
If you are dealing with financial services (and payment provider most certainly would), you will be forced to interface with infuriating vendor vetting and onboarding questionnaire processes. The kinds that would make Franz Kafka blush, and CIA take notice for their enhanced interrogation techniques.

The sheer amount of effectively useless bingo sheets with highly detailed business (and process) information boggles the mind.

Some time ago I alluded to existence and proliferation of these questionnaires in another context: https://bostik.iki.fi/aivoituksia/random/crowdstrike-outage-...

◧◩
5. saberi+Jl[view] [source] [discussion] 2025-11-13 14:06:53
>>global+X2
Another person wrote a good response to this but yeah, I would say, as someone that has worked in fintech, you will almost always have some integrations with systems which require Microsoft word format, as well as obviously PDFs, CSVs, etc.

Every country you operate in has different rules and regulations and you have to integrate with many third party systems as well as governmental entities etc, and sometimes you have to do really really technically backwards things.

Some integrations I remember were stuff like cron jobs sending CSV files via FTP which were automatically picked up.

◧◩
6. saberi+ns[view] [source] [discussion] 2025-11-13 14:42:10
>>nebezb+s7
Fair point! Yeah, it could be. Although Europe tends to be stricter about those things, i.e. where PII is stored. I was trained way back in like 2018 about ensuring I never have any PII stored on my PC and around the requirements of the GDPR in terms of access to information and right to delete etc.
replies(1): >>wallet+GW2
◧◩◪
7. wallet+GW2[view] [source] [discussion] 2025-11-14 08:31:49
>>saberi+ns
Yeah, even in Europe this is an excessively optimistic take.

Couple of years ago I accidentally stumbled upon an open folder a fairly big Scandinavian bank was using to store tens of thousands of passport/id scans

[go to top]