Data Security, Encryption, and Compliance Frameworks

1. Data Security: Overview and Principles

Data security involves protecting digital data from unauthorized access, corruption, theft, or
loss throughout its lifecycle (creation, storage, processing, transmission, and destruction). In
banking, payments, and cloud environments, robust data security is not just good practice—
it’s a regulatory and reputational imperative.

Core Principles (the CIA Triad):

 Confidentiality: Preventing unauthorized access or disclosure of information.

 Integrity: Ensuring data remains accurate, consistent, and unaltered (except by
authorized actors).
 Availability: Ensuring data is accessible to authorized users when needed.

Other Key Concepts:

 Authentication: Verifying user or system identity (e.g., passwords, biometrics,

tokens).
 Authorization: Granting access to data or resources based on roles, permissions, and
policies.
 Non-repudiation: Guaranteeing that actions or transactions can’t be denied after the
fact (e.g., digital signatures, logging).
 Auditability: Keeping detailed logs and audit trails for monitoring and compliance.

2. Encryption: Core to Data Security

Encryption is the process of converting data into a coded format to prevent unauthorized
access, even if the data is intercepted or stolen.

Types of Encryption:

 At Rest: Data is encrypted on disk/storage (e.g., database files, file systems, backups).
 In Transit: Data is encrypted during transmission between systems (e.g., using
TLS/SSL for HTTPS, SFTP, VPNs).
 End-to-End: Only sender and intended recipient can decrypt the message/data
(common in secure messaging, some payment flows).

Common Encryption Standards:

 AES (Advanced Encryption Standard): The industry standard for symmetric

encryption; used in most modern systems for both at-rest and in-transit data.
 RSA/ECC (Asymmetric Encryption): Used for digital signatures, secure key
exchange, and some secure messaging.
  TLS/SSL: Protocols for securing data in transit over networks (web, APIs, file
transfer).
 PGP/GPG: Often used for encrypting email and files end-to-end.

Key Management:

 Securely storing, rotating, and managing encryption keys is just as important as

encryption itself.
 HSMs (Hardware Security Modules): Devices dedicated to secure key
management, common in banking and payments.

Tokenization & Masking:

 Tokenization: Sensitive data (e.g., credit card numbers) is replaced with non-
sensitive tokens that map back to the real value in a secure vault.
 Masking: Displaying only partial data to users (e.g., showing last 4 digits of a card
number).

3. Compliance Frameworks: GDPR, PCI DSS, and Beyond

A. GDPR (General Data Protection Regulation)

 What is GDPR?
The European Union’s regulation for data protection and privacy, in force since 2018.
Applies to any organization processing EU residents’ personal data, regardless of
location.
 Core Requirements:
o Lawful basis for collecting/processing data (consent, contract, legal obligation,
etc.).
o Data minimization—only collect what’s necessary.
o Right to access, rectify, erase (the “right to be forgotten”), and port personal
data.
o Data breach notification: Must notify authorities and affected individuals
within 72 hours.
o “Privacy by design and by default”—security and privacy must be built in
from the outset.
o Data Protection Impact Assessments (DPIAs) for high-risk processing.
o Appointment of a Data Protection Officer (DPO) for many organizations.
 Security Implications:
o Encryption and pseudonymization are strongly recommended.
o Strict controls on cross-border data transfers.
o Regular security testing, audits, and access reviews.
 Penalties:
Up to €20 million or 4% of annual global turnover (whichever is higher).

B. PCI DSS (Payment Card Industry Data Security Standard)

  What is PCI DSS?
A global standard for securing payment card data (e.g., Visa, Mastercard, Amex),
mandatory for all entities that store, process, or transmit cardholder data.
 Core Requirements:
o Build and maintain a secure network (firewalls, no vendor defaults).
o Protect cardholder data (encryption, masking, secure storage).
o Maintain a vulnerability management program (antivirus, patching).
o Implement strong access controls (unique IDs, least privilege, physical
security).
o Monitor and test networks (logging, regular penetration testing).
o Maintain an information security policy.
 Key Data Elements:
Cardholder data (PAN, expiration date, CVV) must be encrypted and access strictly
controlled.
 Auditing and Compliance:
Annual validation, quarterly scans, documentation, and incident response plans
required.
 Penalties:
Fines, suspension of payment processing privileges, legal action, and reputational
damage.

Other Frameworks (Mentioned as Needed in Interviews):

 SOX (Sarbanes-Oxley Act): Focuses on internal controls for financial reporting.

 GLBA (Gramm-Leach-Bliley Act): Financial privacy and security in US banking.
 PSD2 (Payment Services Directive 2): EU regulation requiring strong customer
authentication (SCA), data access, and security for payments.

4. How It All Comes Together: Payments and Banking Context

 Payment systems and banks must secure data at every step: at rest in databases, in
transit over networks, and during processing.
 Encryption and tokenization protect sensitive fields (card numbers, personal
identifiers, account details).
 Compliance is not optional—failure to comply with GDPR, PCI DSS, and others can
result in operational shutdown and heavy fines.
 Audit and Monitoring: All access, transmission, and modification of sensitive data
must be logged and regularly reviewed.

5. Key Interview Talking Points

 Data security is critical to protect customer trust, maintain regulatory compliance, and
avoid breaches.
 Encryption—at rest, in transit, and end-to-end—is essential, with robust key
management and regular audits.
  GDPR mandates privacy by design, transparency, user control over data, and rapid
breach notification.
 PCI DSS requires strict controls, regular audits, and technical and operational
measures to secure payment card data.
 In modern payments and cloud-native systems, compliance and security are "baked
in" from architecture to daily operations—leveraging automation, continuous
monitoring, and proactive risk management.
 Failure to adhere to these standards can result in legal penalties, operational losses,
and reputational harm.

6. Current Trends and Best Practices

 Zero Trust Security: Never trust, always verify—every device, user, and transaction
must be authenticated and authorized.
 DevSecOps: Embedding security into every stage of the software development
lifecycle.
 Cloud-Native Security: Using cloud provider services (e.g., AWS KMS, Azure Key
Vault) for encryption, secrets management, and compliance automation.
 AI/ML for Threat Detection: Leveraging advanced analytics to detect anomalies and
threats in real time.
 Continuous Compliance: Automated tools for ongoing monitoring, assessment, and
evidence collection for audits.