Bank Accounts

Purpose

Manage one or more bank accounts for a shop: add accounts, edit details, mark one as primary, view full bank details, delete outdated accounts, and export account info to PDF for records or reconciliation.

🧭 What this feature shows

• Account list — concise list of saved accounts (bank name, masked account number, primary flag, short actions).

• Add / Edit form — fields for bank name, account holder, account number, IFSC, SWIFT, IBAN, branch address, country, routing / sort codes, BIC, notes, and a “primary” toggle.

• Account detail view — full readable record with creation timestamp and primary status badge.

• Actions — set account as primary, edit, delete (with confirmation), and download PDF of account details.

• Wizard UI — multi-step form that groups basic info, international fields and advanced options (optional).

• Help tooling — contextual help tooltips for fields (IFSC vs SWIFT vs IBAN) and a help modal.

👥 Who should use this

• Shop owners adding bank accounts for payouts or refunds.

• Finance staff who need to maintain multiple payout accounts (e.g., domestic + international).

• Admins who manage vendor or shop payment configurations and want a single place to manage bank details.

• Support agents preparing PDF exports for bank verification or reconciliation.

⚙️ How it works (high level)

1. Create / Edit — operator fills the wizard-style form and submits. Server validates required fields and saves the record scoped to the shop (place_id).

2. Primary account — marking an account primary unsets primary on other accounts for that shop (server-side logic should enforce a single primary).

3. View / Export — detail view shows masked account numbers and full metadata; PDF export renders a printable version of the account for offline records.

4. Delete / Safety — delete requests require confirmation; consider soft-delete if you want an audit trail.

5. Security — account numbers should be stored securely (consider encrypting sensitive fields at rest) and only displayed in full to authorized users; show masked numbers in lists.

🪜 How to use — step-by-step

1. Go to Dashboard → Bank Accounts for the shop.

2. Click Add Account to open the wizard: fill Bank Name, Account Holder, Account Number and mark Primary if desired.

3. Complete International Details (IFSC, SWIFT, IBAN, Branch Address, Country) if needed.

4. Optional: fill Advanced Options (routing number, sort code, BIC, notes). Save.

5. On the account list, use View to inspect details, Edit to update, Delete to remove (confirm), and PDF to export.

6. To change primary account, edit an account and toggle the Primary flag, or use a dedicated “Set primary” action if provided.

📊 How to interpret fields (actionable guidance)

• Bank Name / Branch — verify spelling; used for reconciliation and bank support calls.

• Account Holder — must match bank records (legal entity or person). Discrepancy causes payout rejections.

• Account Number / IBAN — IBAN preferred for international transfers; validate format before saving. Mask in lists (e.g., ****1234) to reduce accidental exposure.

• IFSC / SWIFT / BIC — country-specific routing codes: IFSC (India), SWIFT/BIC (international). These are critical for cross-border transfers.

• Routing / Sort Code — used primarily for US/UK domestic routing.

• Is Primary — payment system should use this account by default for payouts; ensure only one primary per shop.

• Notes — internal remarks (never store sensitive customer/account passwords or PINs here).

✅ Recommended actions (prioritised)

1. Validate critical fields on input — implement server-side validation for IBAN, IFSC, SWIFT length/format checks, and ensure account number contains allowed characters.

2. Enforce single primary — when saving an account as primary, atomically unset primary on other accounts for the shop.

3. Mask sensitive data in lists — show full account number only on the detail page to authorized roles.

4. Encrypt at rest — use field-level encryption (Laravel’s encryption or DB-level encryption) for account numbers and sensitive fields.

5. Audit trail — record created_by, updated_by, and deleted_by for compliance and troubleshooting.

6. Require confirmation on delete — use soft deletes if you need to recover deleted account details.

7. Limit who can export — restrict PDF export to finance/admin roles and log export events.

📤 Exporting & reporting

• Download PDF — export a single-account PDF that includes shop name, masked/full account details (depending on role), timestamps, and verifier signature fields if needed.

• Bulk export (optional) — CSV of account metadata for reconciliation (mask or exclude sensitive fields).

• Activity logs — log create/update/delete and primary changes; include operator id and timestamp.

🔒 Privacy & safety notes

• Do not store PINs, OTPs, or bank login credentials.

• Encrypt sensitive fields such as account numbers and IBANs at rest. Laravel’s encrypt() helpers or database encryption are good defaults.

• Access controls — only authorized roles (finance/admin) should view full account numbers or export PDF. Use role-based middleware.

• Mask values in UI for non-authorized users: e.g., show XXXX-XXXX-1234.

• Retention & deletion policies — if you store bank details for payout, ensure retention aligns with local laws and PCI-like best practices (though bank accounts are not card data, they are sensitive).

🧩 Troubleshooting & FAQs

Q: How do I change which account is primary? A: Edit the account and toggle “Primary.” Server logic should unset the primary flag on other accounts automatically. If not, use a dedicated “Set primary” action.

Q: Account number format rejected — what to check? A: Validate allowed charset (digits, spaces, dashes), trim whitespace, and confirm IBAN/IFSC format where applicable. Provide helpful validation messages.

Q: Should I store full account number in the DB? A: If you must (for payouts), encrypt it and limit read access. If not needed, store a token/reference from your payment provider instead.

Q: Can I attach bank verification documents? A: You can, but store uploads on protected storage with strict access controls. Avoid storing scanned IDs unless necessary and follow local privacy laws.

Q: Who can download the PDF? A: Only authorized finance/admin roles. Log export events and consider redacting in exports for lower-privilege users.

✅ Quick checklist

• Validate IBAN/IFSC/SWIFT format on save.

• Enforce one primary account per shop.

• Mask account numbers in lists; show full number only to authorized roles.

• Encrypt sensitive fields at rest.

• Use soft deletes or keep audit logs for deletions.

• Restrict PDF exports and log export actions.

• Do not store bank credentials or PINs.