Re: Does there need to be an obligation to "encrypt" ?
Correct - but I believe that there IS a requirement to encrypt Credit Card details and if it is the case that these were un-salted in file storage, then the PCI sphincter police will be all over them come audit time.
The technicalities in my mind matter little. This is the equivalent of me putting my most valued possessions in the porch of my house and hoping that the very standard Yale lock never gets picked. Talk Talk deserve everything they get from this since 3 times in 1 year IS criminal in the eyes of compliance police.