I've gone through too many articles in the Internet and unfortunately they are more about selling 3rd party PII/PCI solutions rather that answering particular questions.
Currently, I'm working on the project where we should deal with PII data and finally pass the audit.
I have the following questions regarding PII topic:
- Should encrypt PII data in a storage or is it OK to encrypt a storage on the DB level?
- Should we send transmit the PII data encrypte d or is it fine to just use secured protocols(i.e HTTPS)?
- How strict should the rules be in case if services, a storage and other stuff are in a private network?
Thank you! Looking forward to getting you answers, especially proven by expereince.