PCI Archives

PCI Requirement 4.1 – Use Strong Cryptography and Security Protocols to Safeguard Sensitive CHD During Transmission

by Randy Bartels / February 7, 2023

If your organization transmits sensitive cardholder data over an open or public network, that data must be encrypted using strong cryptography and security protocols, according to PCI Requirement 4.1. Examples of open, public networks include the Internet, Bluetooth, cell phones/GSM, wireless Internet, etc. The purpose of this requirement is to prevent attackers from obtaining data while in transit, which is a common practice. Best practices for safeguarding sensitive cardholder data…

PCI Requirement 4 – Encrypt Transmission of Cardholder Data Across Open, Public Networks

by Randy Bartels / April 12, 2023

PCI Requirement 4 demands, “Encrypt transmission of cardholder data across open, public networks.” How will this requirement benefit your organization? Complying with PCI Requirement 4 will help prevent your organization from being a target of malicious individuals who exploit the vulnerabilities in misconfigured or weakened wireless networks. So as a safety measure, sensitive data that you transmit over open networks must be encrypted. Assessors will be evaluating whether your organization…

PCI Requirement 3.7 – Security Policies & Operational Procedures

by Randy Bartels / December 22, 2022

PCI Requirement 3 states, “Protect stored cardholder data.” We’ve discussed encryption, truncation, masking, and hashing – all methods that can be used to protect cardholder data. We’ve talked about dual control, split knowledge, rendering data unreadable, key-custodians, PAN, sensitive authentication data – all elements that need to be understood in order to fully protect and store cardholder data. But it’s not enough just to learn and talk about these things;…

PCI Requirement 3.6.8 – Key-Custodian Responsibilities

by Randy Bartels / December 22, 2022

Someone in your organization needs to be responsible for managing the encryption of your environment and accept the importance of this role. This is why PCI Requirement 3.6.8 states, “Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their key-custodian responsibilities.” Key custodians are one of the most important jobs within your organization. They’re responsible for creating encryption keys, altering keys, recovering keys, rotating keys, distributing…

PCI Requirement 3.6.7 – Prevention of Unauthorized Substitution of Cryptographic Keys

by Randy Bartels / December 22, 2022

Your organization must have the appropriate controls in place to prevent unauthorized key substitution. PCI Requirement 3.6.7 requires, “Prevention of unauthorized substitution of cryptographic keys.” If your organization does not have policies, procedures, and standards documenting how your encryption solution does not accept substitution keys from unauthorized sources, you are giving malicious individuals an opportunity to decrypt your data. Assessors will examine your procedures to ensure that they outline a…

Blog

PCI

PCI Requirement 4.1 – Use Strong Cryptography and Security Protocols to Safeguard Sensitive CHD During Transmission

PCI Requirement 4 – Encrypt Transmission of Cardholder Data Across Open, Public Networks

PCI Requirement 3.7 – Security Policies & Operational Procedures

PCI Requirement 3.6.8 – Key-Custodian Responsibilities

PCI Requirement 3.6.7 – Prevention of Unauthorized Substitution of Cryptographic Keys

Categories

Newsletter

Learn what you need to get started with our Audit Readiness Guide.