Re: christ
Not wishing to detract from beating up TalkTalk, but since people here might have an answer, I have a question...
Q. Why don't credit-card companies tell providers NOT to store card details ever, and instead, issue them a token on receipt of a valid card number? E.g.
Customer (unwisely) decides to sign up with TalkTalk. Enters their contact details and card number on the TT website and agree to (say) a sign up fee of £X and recurring debits of ~£Y based on call-usage etc.
For £X, since it's a one-off, TT don't need to store a card number. For ~£Y they do currently because they need to debit the customer (usually) once a month. So instead the card company supplies a token (like a disposable card number) but this one is constrained such that ONLY TT can use it... so even if it leaks, it's useless. And it could be further constrained by number of debits per month, or limited value ranges.
I've wondered this for years... basically whenever a leak ends up in the news. It's an obvious solution, so I'm guessing there's a good reason it's not implemented?
Biting the hand that feeds IT
