Reply to post:

TalkTalk attack: 'No legal obligation to encrypt customer bank details', says chief

Anonymous Coward
Anonymous Coward

PCI-DSS covers "Payment Cards" (clue is in the name) rather than Direct Debit / Bank Account / BACS data.

At rest encryption (e.g. in database tables or the file-system) is a PCI-DSS requirement (along with data transfer encryption) ... all good stuff but if your website application does not correctly parse ALL its input (defensive programming etc) and allows SQL code to be injected and passed to the DBMS then it could defeat all the encryption because it is going through the appropriate business logic and pulls out the data through the correct in-memory decryption routines (so no need to hack the keys).

There should however be access controls implemented to make the web front-end less trusted to the database than the backend financial processing systems. For example, although credit-card and/or Direct Debit details can be WRITTEN to the database when a user updates their details, there is NO good reason to allow the front-end to READ the WHOLE of the details back, only partial details (e.g. a masked copy in a different table) need be shown back to the user. Having the web front-end mask the full details is not good enough.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021