Storing customer bank/card details

The DPA.

It will.

That is the norm. It is what every large business I am aware of does with customer data.

Even very sensitive data, such as child protection registers held by councils is only protected that way.

Which is zero.

You may have discussed it with somebody claiming to be a computer security expert, but if he claimed that "appropriate" would not be satisfied by the above, then he was only a wanabee expert.

Oh right, based on what exactly?

Jim.

It isn't even a requirement, never mind a "minimum" one.

It might be a good idea with PC based systems, although proper passwording and restricted access to the data (which would presumably be held in a database, not plain text files) will more often than not be sufficient, even there.

It isn't even a particularly good idea with anything else.

Odd, I don't know of a single internet company that does that with credit card data, nor a bank that would accept it as part of their conditions

I would love to see that challenged in court in the result of a compromised, of course though such data is not at a large risk, unlike credit card data which is regularly stolen. I am sure the children would be getting a large payout.

Jim.

Again, based on what?

Jim.

The Payment Card Industry Data Security Standard at

| 3.4 Render sensitive cardholder data unreadable anywhere it is stored | (including data on portable media, backup media, in logs, and data | received from or stored by wireless networks) by using | any of the following approaches: |.. One-way hashes (hashed indexes), such as SHA-1 |.. Truncation |.. Index tokens and PADs, with the PADs being securely stored |.. Strong cryptography, such as Triple-DES 128-bit or AES 256-bit with | associated key management processes and procedures. |The MINIMUM account information that needs to be rendered |unreadable is the payment card account number.

Which looks to me like Visa certainly consider it a minimum requirement, and certainly all banks I've ever been involved with in the UK require similar.

Why are you so confident this is not the case?

Jim.

Well there are a few groups he could try, such as uk.comp.security, or alt.computer.security, or comp.security.misc.

In message , Jim Ley writes

I think you have no knowledge of small users such as IFAs, GPs surgeries, Local Councils, dentists, solicitors, opticians, etc.,. I dont believe any of their stuff is encrypted et they all hold potentially very private data indeed.

What ones of these are handling credit card details?

Yes, but very low danger of it being stolen and used expensively, unlike credit cards, I don't believe the majority of such stuff should be encrypted (other than the medical details and the council at risk we've discussed) but the topic at hand is credit card details on internet servers. These should.

Jim.

In message , Jim Ley writes

I agree, but I was challenging your assertion - " I would expect all personal data to be encrypted beyond something basic like name/email address." Do you still stand by that in the circs I described?

I would expect it yes, I wouldn't be surprised that most organisations don't, but I would expect it, I'm not so sure what the courts or the information commisioner would think, it's the sort of thing that is only likely to be tested once something embarrassing happens.

Fortunately whilst most of the personal data you list is highly personal, it has very little value so is not really worth anything in the general case, so for specific people it's much easier to just pay off a bent policeman or council worker etc. to get the individual data, rather than bothering to secure the machine.

Jim.

In message , Jim Ley writes

That would put a huge overhead on many businesses that are now only holding the same data on PC that was previously held in filing cabinets. Also, AIUI, the DPA does not differentiate between paper and electronic data storage methods. So should hand written details of credit cards and the data held in the manner described also above be encrypted? would I need to employ Bletchley park to do this by hand for me?

Why would *you* expect encryption? (putting court opinions to one side)

What input does this have to the point?

Well the only place I have worked directly on customer payment systems certainly did.

The data was held in an ICL IDMSX database, but was not otherwise encrypted.

This was the Direct Debit payment system for Hyder domestic Electricity supplies. (and did include the AUDACS electronic DD system, so no paper forms were necessary).

Also the payroll system I worked on at another company had the bank details of the employees, for payment purposes, and those were not encrypted.

And the Social Services systems that contain bank account details (usually for payments to people in their care or the carers) do not have them encrypted.

I have worked on computer systems containing sensitive customer data for several other organisations, even if not actual banking details, and I have never come across one where the data was encrypted.

In some ways, the risk is more serious.

I agree there are not going to be as many people trying to get at it, but the consequences of the wrong person getting that data could be worse.

Experience.

If there was a general requirement to encrypt sensitive customer data, then most large organisations would do so. But they don't.

No, the act requires that "appropriate" security measures are in place.

In *general*, making sure that access to the data is properly secured by access restrictions, together with physical security of the location(s) where the computers actually are will suffice for electronic data.

While just the physical security aspect would be required for paper files.

We're talking about Credit card numbers here, not "sensitive customer data" in the general case... Especially as I'm sure you're not using sensitive in the DPA's definition, as most large organisations don't collect such stuff.

Jim.

Neither of which are credit cards, so I'd say pretty irrelevant for you to speak with such authority on the subject.

Jim.

No it wouldn't encryption is essentially cheap, certainly cheap as a proportion to the cost of the rest of the system.

because it's cheap and trivial to implement and as the act requires you to take into account the state of technological data, it's a reasonable step.

The cost and value of obtaining data is highly relevant to the decisions on how to protect it. A collection of credit cards is valuable because all of them can be used fraudalent, information about individuals related to their health or criminal records is only relevant in the individual case, so the threats to the data are different.

Jim.