PCI Requirement 4
Encrypt Transmission of Cardholder Data Across Open, Public Networks
Welcome to PCI Requirement 4. The culture we live in revolves around satellite technology, cell phones/GSM, Bluetooth, laptops, wireless Internet, and more. We may consider these things private, but the PCI DSS deems them to be public. PCI Requirement 4 helps prevent organizations from being a target of malicious individuals who exploit vulnerabilities in misconfigured or weakened wireless networks. To comply with PCI Requirement 4, sensitive data that your organization transmits over open, public networks must be encrypted.
In these videos, you will learn about cryptography, security protocols, authentication, and unprotected PANs related to the transmission of card holder data. Click on a vide below to get started with PCI Requirement 4.
PCI Requirement 4 – Encrypt Transmission of Cardholder Data Across Open, Public Networks
PCI Requirement 4 demands, “Encrypt transmission of cardholder data across open, public networks.” How will this requirement benefit your organization? Complying with PCI Requirement 4 will help prevent your organization from being a target of malicious individuals who exploit the vulnerabilities in misconfigured or weakened wireless networks. So as a safety measure, sensitive data that you transmit over open networks must be encrypted. Assessors will be evaluating whether your organization has implemented the appropriate controls to protect this information.
PCI Requirement 4.1 – Use Strong Cryptography and Security Protocols to Safeguard Sensitive CHD During Transmission
If your organization transmits sensitive cardholder data over an open or public network, that data must be encrypted using strong cryptography and security protocols, according to PCI Requirement 4.1. Examples of open, public networks include the Internet, Bluetooth, cell phones/GSM, wireless Internet, etc. The purpose of this requirement is to prevent attackers from obtaining data while in transit, which is a common practice.
PCI Requirement 4.1.1 – Ensure Wireless Network Transmitting CHD or Connected to CDE Uses Strong Encryption
Wireless networks are a part of our everyday technology environment. It’s almost impossible to get away from it, be it your cell phone, laptop, watch, tablet, television…the list goes on and on. Wireless networks are extremely prevalent to our culture. Think about how many restaurants you go to that have table side payment. How does your payment get processed?
PCI Requirement 4.2 – Never Send Unprotected PAN by End-User Technologies
If there are situations within your organization when you need to send or receive emails that contain sensitive cardholder data information like Primary Account Numbers (PAN), that is acceptable as long as you’re in compliance with PCI Requirement 4.2. It states, “Never send unprotected PANs by end-user messaging technologies.” This includes through email, instant messaging, chat systems, SMS, etc.
PCI Requirement 4.3 – Ensure Security Policies and Procedures are Known to all Affected Parties
PCI Requirement 4 states, “Encrypt transmission of cardholder data across open, public networks.” We’ve covered cryptography standards, wireless networks, end-user messaging technologies to help prepare you to meet this requirement.
