PCI Requirement 4 – Encrypt Transmission of Cardholder Data Across Open, Public Networks

by Randy Bartels / August 23rd, 2017

PCI Requirement 4 demands, “Encrypt transmission of cardholder data across open, public networks.” How will this requirement benefit your organization? Complying with PCI Requirement 4 will help prevent your organization from being a target of malicious individuals who exploit the vulnerabilities in misconfigured or weakened wireless networks. So as a safety measure, sensitive data that you transmit over open networks must be encrypted. Assessors will be evaluating whether your organization has implemented the appropriate controls to protect this information.

How do you define an open or public network? It depends on who is connected to the network and how it is configured. Satellite technology, cell phones/GSM, Bluetooth, laptops, the Internet, wireless Internet – so many things can be deemed public networks, even if you may consider them private.

Our PCI Requirement 4 videos will cover these 4 sub-requirements:

  • 1: Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.
  • 1.1: Ensure wireless networks transmitting cardholder data, or connected to the cardholder data environment, use industry best practices to implement strong encryption for authentication and transmission.
  • 2: Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc).
  • 3: Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties.

Requirement 4 of the PCI DSS is about managing and maintaining the security of the cardholder data when transmitting it over open or public networks. The PCI DSS calls out and says that networks such as wireless or 802.11 would be considered a public network, even if it’s considered private within your environment. Satellite would be considered public as well. Of course, the Internet. There’s certain situations when MPLS might be considered public, depending on who’s connected to it and how it’s configured. Looking at Requirement 4, we’re looking for the controls that you’ve implemented around protecting cardholder data information when it’s being transmitted over these open or public networks.