How do some sites (e.g. online banks) only ask for specific characters from a password without storing it as plaintext?
Whilst I don't know explicitly how banks handle this requirement, an alternate process to the one that @rakhi mentions would be to use an HSM and reversible encryption.
The idea is that the full password would be stored in the database encrypted using a symmetric cipher (eg, AES). Then when the password characters are passed to the application they are fed into the HSM along with the encrypted password.
The HSM could then decrypt the password and confirm that the 3 characters are as expected, returning a pass/fail response to the application. So at no point is the password held in the clear (apart from in the HSM which is considered secure).
This would tie up with the way that PIN encryption can be handled by ATM networks (eg, symmetric encryption and HSMs)
Any time you encounter a case where knowing something about your password other than the hash of the full password is needed, you can assume that the password is not hashed. While PCI-DSS was mentioned, there is no regulation that I'm aware of which applies to banks encrypting or hashing password information. PCI-DSS doesn't cover your bank account information, including logging in with your PIN or some variation of it.
If they're being good, the password is stored using encryption. If they're not so good, it could indeed be stored in plaintext.
I admit I rather like the trade-off here. The whole password database may exposed to a greater risk of attack if it's compromised, but I'd counter that security at banks should at the higher end. If a compromise of the database was suspected, everything would have to be changed whether hashed or encrypted anyway. Either instance With this particular method, it takes a lot longer and a greater degree of complexity for an attacker to gain enough useful information to make an attack with a keylogger.
Something tangentially related: http://projecteuler.net/index.php?section=problems&id=79
NatWest's scheme strikes me as of dubious value. In NatWest's scheme, a phishing attack can probably steal your entire PIN and all or most of your password. Here's how the phishing attack would work.
The phishing site would present a fake login screen, asking for 3 digits of the PIN and 3 characters of the password.
The user would type their answer in.
The phishing site would now present a response indicating that the entry was incorrect, and prompt the user again.
Many users would probably assume they entered something in wrong, and try again.
If the phisher is clever, the second prompt from the phishing site will ask for a different set of digits and characters. If the user tries a second time, then the phishing site can learn all 4 digits of the PIN and 6 characters of the user's password. (Note that NatWest requires users to choose a password containing 6-8 characters, so 6 characters of the password is guaranteed to be all or almost all of it.) At that point, it is game over.
Consequently, it is not clear to me that NatWest's scheme buys you anything.