Reply to post: Re: Does there need to be an obligation to "encrypt" ?

TalkTalk attack: 'No legal obligation to encrypt customer bank details', says chief

Anonymous Coward
Anonymous Coward

Re: Does there need to be an obligation to "encrypt" ?

PCI-DSS are the set of requirements used by visa and mastercard, which includes debit and credit cards. The requirements vary depending upon what you are doing with the card data.

Card holder data needs to be protected, card holder data is card number, cvc2 and expiry, name address etc if accompanied with any of the actual card data, along with track data and pin if you are in card production (what I am, along with fraud detection).

Card holder data needs to be encrypted, allowed encryption and minimum key lengths are provided in the PCI-DSS requirements. The card number itself can be tokenised, allowing processing to be done with the tokenised card number, along with a partial card number so that the card type and which card (for end user) can be recognised. This token then can be used when payment processing is required by a separate system.

Key encryption keys are to be stored securely for example within an HSM.

Card data should only be decrypted when needed. Full card number should never be visible to any user.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021