Re: Does there need to be an obligation to "encrypt" ?
That in absolutely no way translates to an obligation to "encrypt"? This is much more to do with internal policy on access to data and how the public facing components are designed using industry standard methods to protect from unauthorised access to the data. If they have breached this it would be lack of policy or evidence suggesting they did not apply appropriate methods of protection to their public facing servers. I do believe that the bank details should have been further protected, however I would struggle to agree with any legal conviction based on this. Bank details are not covered by PCI-DSS.