APP045: Data Protection in Transit

Is data at the Confidential level or above (including Authentication data) protected during transmission in accordance with CISS and with an EATDS-approved solution?

Guidance: Appendix A.1 establishes requirements as to when bank information must be encrypted. The following table describes the encryption requirements. For transmissions involving Confidential PII or Restricted data encryption must be performed on an application-to-application/server-to-server basis.

The transmission of data can take many forms including, but not limited to Electronic File Transfers (e.g. FTP, NDM), Web Traffic, E-mail, and Inter-Process Communications (e.g. application to application) using various protocols.

Confidential or Confidential PII data must be encrypted when transmitted within or persistently stored in a no-bank managed Infrastructure that does not meet bank Security Standards as demonstrated by a TPISA assessment as well as when a TPISA assessment has not been completed.

Confidential PII data used for identity verification (examples include but not limited to transaction history, credit information, address, etc.) is not subject to the additional encryption requirements for authentication data.

For all new and existing internal or external applications, that went into production on or after 2012, Confidential PII must be encrypted using EATDS-approved end-to-end encryption software or tool.

Confidential PII and Restricted PII transmitted between all application components and directly transmitted to any other existing application(s) within the bank network. Downstream applications that do not directly interact with the new applications do not need to comply. This requirement applies to all new and existing applications that went into production on or after April 1, 2012.

  • JE

    QuickView uses the Microsoft Windows Infrastructure to protect data in transit. You can enable transport or message security. Transport security will work with traffic within Window domains, while message security will work in any environment. For message security you can use the MicroMedia certificate provided or choose your own. Please refer to the Encrypting Communications page on how to select your encryption method.

    You can confirm the type of encryption being used by viewing in the System Information page for the Security and Certificate x.509 entries:

    Finally, you can use a network protocol analyzer, such as WireShark to review the TCP packets.

Please Sign In to submit new tickets or to reply to existing ones.

Ticket ID



January 21, 2021 05:42 PM