PCI Requirement 4.3 – Ensure Security Policies and Procedures are Known to all Affected Parties

by Randy Bartels / August 23rd, 2017

PCI Requirement 4 states, “Encrypt transmission of cardholder data across open, public networks.” We’ve covered cryptography standards, wireless networks, and end-user messaging technologies to help prepare you to meet this requirement. Complying with PCI Requirement 4 will help prevent your organization from being a target of malicious individuals who exploit the vulnerabilities in misconfigured or weakened wireless networks. But it’s not enough just to learn and talk about these things; all policies, procedures, and standards must be implemented in order to comply with PCI Requirement 4 and to securely transmit cardholder data.

Requirement 4.3 states, “Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties.” This is not only saying that your organization needs to maintain documented security policies and operational procedures; the policies and procedures need to be known and in use by all relevant parties. Your personnel must be living out what the policies, procedures, and standards require of them. It is a requirement of this framework that the affected parties use the policies and procedures. It is not sufficient that you generate documentation just for the sake of the audit. Your assessor should be reading these documents, familiar with the policies and procedures, and interviewing staff to make sure that anybody who is subject to the policies and procedures understands what they are.

In Requirement 4.3, we once again come to the capstone of Requirement 4. This capstone requires that you maintain a documentation program and that all individuals who are subject to these policies are knowledgeable of them. These policies and procedures need to be actually in use. Your assessor should be reading these policies, familiar with these policies, and interviewing staff to make sure that anybody who would be subject to these policies understands what they are.