Eirikur Eiriksson (10/23/2016)
Jeff Moden (10/23/2016)
As a bit of a sidebar, I'm concerned for you good folks. One of the indexes you posted appears to have "CardNumber" as a clear text value. I hope I'm misreading that. PCI specs and most specs on PII say that such things must be encrypted.Could you attach a copy of what the Clustered Indexes look like (I see you posted 1 already but a single attachment would be convenient) and all the Non Clustered Indexes for the two tables in question? It'll help with analysis.
LINQ, EF and other such things, makes you wonder doesn't it?
😎
I was taken at back by the CC info and other potentially sensitive data, hope that is encrypted!
You said a mouthful. About 2 years ago, I did some part-time work for a small company with a large footprint. They used SSNs in the clear for primary keys. Their compliance officer said that it's not a problem because they were behind a firewall and, besides, the Social Security Administration web site said that (although it was encouraged and recommended on this site) it's not required (and, it's not. Go figure). When I told her that she should demonstrate her faith in the system by adding her own PII, including SSN, to the system, she flat out refused. After that, I recommended that the company should find a new compliance officer. Of course, that didn't happen because it would cost some money to change the systems to encrypt SSNs.
If their system is ever compromised, they'll find out just how much damages will cost them. Just the fees for follow up credit and misuse monitoring will kill the company, not to mention the legal fees for anyone that decides to sue the company.
--Jeff Moden
Change is inevitable... Change for the better is not.