Lovely - I work at a credit card processing company (not CardSystems!). We have annual training for all employees on PCI - Payment Card Industry security regs. Our IT department is required to conduct periodic security tests. All card numbers (PAN - Personal Account Number) on non-production systems are required to be masked (partially obscured) in every table of every database. We are not allowed to retain any personally indentifiable information for more than the few seconds it takes to verify a transaction. Etc. Etc. I'm sure management here would like to eliminate those costs but it is required and should be required of any organization with this type of information. The really sad thing is, there are hundreds of spreadsheets with customer info floating around unsecured. All those online orders you submit through SSL? Some are probably re-typed into Excel, including those super-secret, never-to-be-stored CCV digits on the back of your card.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/387/33170#33170