APP045: Data Protection in Transit
Is data at the Confidential level or above (including Authentication data) protected during transmission in accordance with CISS and with an EATDS-approved solution?
Guidance: Appendix A.1 establishes requirements as to when bank information must be encrypted. The following table describes the encryption requirements. For transmissions involving Confidential PII or Restricted data encryption must be performed on an application-to-application/server-to-server basis.
The transmission of data can take many forms including, but not limited to Electronic File Transfers (e.g. FTP, NDM), Web Traffic, E-mail, and Inter-Process Communications (e.g. application to application) using various protocols.
Confidential or Confidential PII data must be encrypted when transmitted within or persistently stored in a no-bank managed Infrastructure that does not meet bank Security Standards as demonstrated by a TPISA assessment as well as when a TPISA assessment has not been completed.
Confidential PII data used for identity verification (examples include but not limited to transaction history, credit information, address, etc.) is not subject to the additional encryption requirements for authentication data.
For all new and existing internal or external applications, that went into production on or after 2012, Confidential PII must be encrypted using EATDS-approved end-to-end encryption software or tool.
Confidential PII and Restricted PII transmitted between all application components and directly transmitted to any other existing application(s) within the bank network. Downstream applications that do not directly interact with the new applications do not need to comply. This requirement applies to all new and existing applications that went into production on or after April 1, 2012.