PCI DSS Requirement 4 Explained

PCI DSS Requirement 4: Transmit cardholder data by encrypting it over open, public networks.

When data is transmitted over open and unencrypted public networks, malicious individuals can easily access sensitive data. Therefore, during transmission over open and public networks, sensitive data should be encrypted.

See Also: Securing Card Data in Transit: PCI DSS Requirement 4

Malformed wireless networks and vulnerabilities in legacy encryption and authentication protocols remain the target for malicious individuals to gain privileged access to cardholder data environments.

PCI DSS Requirement 4.1: Use strong encryption and security protocols to protect sensitive cardholder data during transmission over open, public networks

Since it is very easy for malicious people to capture data during transmission over public networks, encrypted channels should be used to transmit sensitive information.

Reliable keys and certificates are required to transfer cardholder data securely. Secure data transmission protocol and appropriate encryption strength are required to encrypt cardholder data. You should not accept connection requests from systems that do not support the required encryption strength and may cause an unsecured connection.

See Also: What are the Effects of Using MPLS on PCI Compliance?

It should be noted that some protocol applications (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that attackers can use to gain system control. Ensure that only secure versions and settings are configured and enabled to prevent an unsecured connection, whichever security protocol is used.

See Also: What You Should Know About PCI Compliant File Transfer

Configurations should be set to accept only trusted keys and certificates, and only secure versions and protocol configurations used should be supported. Encryption strength must be appropriate for the method of encryption used.

Verifying that the certificates are reliable will also help maintain the secure connection’s validity and integrity.

See Also: What You Need to Know About Encrypted Communication

Examples of open, public networks include wireless technologies such as the Internet, 802.11 and Bluetooth, cellular technologies (GSM, CDMA), GPRS, and satellite communications.

In general, the URL of the web page should start with “HTTPS” and display the padlock icon indicating the encrypted link in the web browser window. Also, many TLS certificate vendors provide a verification seal, also known as “Secure Site Seal.”

See Also: Public Key Cryptography and PGP Fundamentals

For strong encryption and secure protocols, you can review industry standards and best practices, such as NIST SP 800-52, SP 800-57, and OWASP.

PCI DSS Requirement 4.1.1: Identify wireless networks that transmit cardholder data or are connected to the cardholder data environment. Use industry best practices to implement strong authentication and transmission encryption for these networks.

Malicious intruders often target widespread and free wireless networks. Using strong cryptography will help reduce sensitive information leakage over wireless networks because even if attackers access data from wireless networks that use strong encryption, they won’t be able to use it maliciously. After all, the data is encrypted.

Authentication and strong encryption must be transmitted to prevent malicious attackers from accessing wireless networks or data.

First, to check this requirement, identify all your wireless networks that transmit cardholder data or are connected to the cardholder data medium. Check whether the transmission is implemented with authentication and strong encryption for all wireless networks identified. Ensure that weak encryption protocols such as WEP or older version SSL are not used for authentication or transmission.

PCI DSS Requirement 4.2: Never send personal account numbers (PAN) unprotected through end-user messaging technologies.

Attackers can easily monitor End-user messaging technologies such as e-mail, instant messaging, SMS, and chat on local or public networks, and sensitive data can be captured. Do not use these messaging tools to send personal account numbers (PANs) without strong encryption.

See Also: PCI Compliance and Email Security

Besides, if an enterprise requests personal account numbers (PANs) through end-user messaging technologies, a tool or method should be used to protect personal account numbers (PANs) using strong cryptography or to render personal account numbers (PANs) unreadable before transmission.

A policy should also be established and notified to employees stating that unprotected personal account numbers (PANs) will not be sent through end-user messaging technologies. 

PCI DSS Requirement 4.3: Ensure that security policies and operational procedures are documented, in use, and known to all affected parties to encrypt the transmission of cardholder data.

Employees must know and follow security protocols and operating procedures for the continuous management of secure transmission of cardholder data.

For detailed information, see the PCI DSS Quick Reference Guide from the PCI SSC Documentation library.

To review all of the PCI DSS Requirements, you can review our PCI DSS Requirements and PCI Compliance articles.

Surkay Baykarahttp://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Biznet. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Biznet, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

How to Define PCI DSS Scope

The PCI DSS scope of a business or organization includes all people, processes, and technologies that can affect and interact with cardholder data security.

Why DNS Security Matters

DNS security best practices are similar to those for most other systems. Restrict access, utilize multi-factor authentication (MFA), activate security settings, and maintain everything up to date.

Related posts

Latest posts

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

How to Define PCI DSS Scope

The PCI DSS scope of a business or organization includes all people, processes, and technologies that can affect and interact with cardholder data security.

Why DNS Security Matters

DNS security best practices are similar to those for most other systems. Restrict access, utilize multi-factor authentication (MFA), activate security settings, and maintain everything up to date.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!