PCI Requirement 6.5.4 – Insecure Communications
What are Insecure Communications?
PCI Requirement 6.5.4 requires that you protect your applications from insecure communications. To understand PCI Requirement 6.5.4, let’s look back at PCI Requirement 4. PCI Requirement 4 and its sub-requirements outline how to use strong cryptography and security protocols to protect cardholder data, which is what PCI Requirement 6.5.4 calls for. The PCI DSS states, “Applications that fail to adequately encrypt network traffic using strong cryptography are at increased risk of being compromised and exposing cardholder data. If an attacker is able to exploit weak cryptographic processes, they may be able to gain control of an application or even gain clear-text access to encrypted data.” Best practice says that you should not use insecure communications such as insecure protocols, ports, or services. These forms of insecure communication are vulnerable, and your application cannot depend on something that’s vulnerable.
In PCI Requirement 6.3, we learned that the best way to ensure securely developed applications is to incorporate information security into several phases of your development process: requirement gathering, design, development, and testing. PCI Requirement 6.5.4 requires you to examine these phases again and ensure that within these phases, you’re using defined, specific, secure methods of communication and that strong cryptography is incorporated.
During a PCI assessment, an assessor will examine your documented policies and procedures related to application development and, once again, interview the responsible personnel to ensure that insecure communications are addressed by coding techniques that properly authenticate and encrypt sensitive data communications.
6.5.4 requires that when you’re developing an application, that you’re not going to be using an insecure protocol, port, service, or any insecure communications. There’s no point of developing an application that has a dependency on something that’s already vulnerable. Make sure that during the requirements phase of the application and the design phase of your application, that you call out specific protocols, ports, and services that are going to be used to ensure that those are going to be secure.