PCI Requirement 4.1 – Use Strong Cryptography and Security Protocols to Safeguard Sensitive CHD During Transmission

by Randy Bartels / August 23rd, 2017

If your organization transmits sensitive cardholder data over an open or public network, that data must be encrypted using strong cryptography and security protocols, according to PCI Requirement 4.1. Examples of open, public networks include the Internet, Bluetooth, cell phones/GSM, wireless Internet, etc. The purpose of this requirement is to prevent attackers from obtaining data while in transit, which is a common practice.

Best practices for safeguarding sensitive cardholder data during transmission include:

  • Only use trusted keys and certificates associated with the encryption. If a certificate has expired or is not issued by a trusted source, do not accept it.
  • Any security protocols in use should only support secure versions or configurations; if not, the known vulnerabilities of a protocol could be exploited by an attacker. This also prevents an insecure connection. Any connection that could result in an insecure connection cannot be accepted. An example of an insecure protocol is WEP, which cannot be used for security.
  • The encryption strength is appropriate for the encryption methodology in use.
  • Documentation should define all places where cardholder data is transmitted or received over open, public networks.
  • Documentation should outline a process for acceptance of trusted keys and certificates, how the implemented security protocols only support secure versions or configurations, and why the encryption strength is appropriate.

If you’re going to be transmitting cardholder data over an open or public network (this would be the Internet, wireless, GSM, cell phone, Bluetooth), we expect that the data be encrypted. There’s multiple ways that we look for doing that. For example, you wouldn’t be using an insecure wireless protocol such as WEP. You can use WEP, but WEP cannot be used as a means of security. We look to make sure you have the keys or the certificates that are associated with the encryption, and that they be trusted and secure.

The assessor should take time, when looking at your network documentation, to make sure that it defines all places where cardholder data is transmitted in and out of your network. As part of that, they’re going to be looking at how you’re protecting that information as it departs your environment or your control. So, Requirement 4.1 looks to make sure that you have strong cryptography or strong encryption any place that cardholder data is transmitted over open or public networks.