The purpose of Requirement 4 is to ensure that sensitive cardholder data is protected during transmission over open, public networks. This requirement mandates the use of strong cryptography and security protocols to safeguard cardholder data from unauthorized interception and theft.
Requirement 4.1: Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.
Purpose:
The purpose of Requirement 4.1 is to ensure that sensitive cardholder data is protected with strong cryptography and security protocols when transmitted over open, public networks. This requirement aims to prevent unauthorized interception and theft of cardholder data by malicious individuals who may attempt to eavesdrop on or divert data during transit.
Good Practice / Guidance:
4.1.1 Use of Trusted Keys and Certificates:
Organizations should only accept trusted keys and certificates when establishing secure connections for transmitting cardholder data. This practice helps ensure the integrity and authenticity of the entities involved in the secure communication.
4.1.2 Use of Secure Protocol Versions and Configurations:
The security protocols used for transmitting cardholder data should only support secure versions and configurations. Insecure versions or configurations of protocols should not be supported, as they may have known vulnerabilities that attackers can exploit.
4.1.3 Appropriate Encryption Strength:
The encryption strength used for transmitting cardholder data should be appropriate for the encryption methodology in use. Organizations should follow vendor recommendations and industry best practices when selecting encryption algorithms and key lengths.
4.1.4 Special Considerations for SSL/Early TLS:
If SSL or early TLS is used, additional requirements specified in Appendix A2 of the PCI DSS must be completed to address known vulnerabilities in these protocols.
Examples of open, public networks include the Internet, wireless technologies (e.g., 802.11, Bluetooth), cellular technologies (e.g., GSM, CDMA, GPRS), and satellite communications.
To comply with Requirement 4.1, organizations should:
- Identify all locations where cardholder data is transmitted or received over open, public networks.
- Implement strong cryptography and security protocols for all identified transmission channels.
- Ensure that only trusted keys and certificates are accepted.
- Configure protocols to support only secure versions and configurations.
- Implement appropriate encryption strength based on the encryption methodology in use.
- Complete additional requirements for SSL/early TLS, if applicable.
By implementing strong cryptography and security protocols, organizations can significantly reduce the risk of cardholder data being intercepted or stolen during transmission over open, public networks.
Requirement 4.1.1: Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices to implement strong encryption for authentication and transmission.
Purpose:
The purpose of Requirement 4.1.1 is to ensure that wireless networks transmitting cardholder data or connected to the cardholder data environment (CDE) are secured using industry best practices for strong encryption. This requirement aims to prevent malicious individuals from eavesdropping on wireless communications or gaining unauthorized access to the CDE through wireless networks.
Good Practice / Guidance:
4.1.1.1 Use of Industry Best Practices:
Organizations should use industry best practices, such as IEEE 802.11i, to implement strong encryption for authentication and transmission on wireless networks. These best practices provide guidelines for secure wireless network configuration and help ensure that wireless communications are protected from eavesdropping and unauthorized access.
4.1.1.2 Prohibition of Weak Encryption:
Weak encryption methods, such as WEP and SSL, should not be used as security controls for authentication or transmission on wireless networks. These methods have known vulnerabilities and can be easily exploited by attackers to gain access to wireless networks and sensitive data.
To comply with Requirement 4.1.1, organizations should:
- Identify all wireless networks transmitting cardholder data or connected to the CDE.
- Implement strong encryption for authentication and transmission on these wireless networks using industry best practices.
- Ensure that weak encryption methods are not used as security controls.
- Regularly review and update wireless network configurations to maintain alignment with industry best practices.
By following these guidelines, organizations can significantly reduce the risk of cardholder data being compromised through wireless networks and maintain a secure environment for processing and transmitting sensitive information.
Requirement 4.2: Never send unprotected PANs by end-user messaging technologies.
Purpose:
The purpose of Requirement 4.2 is to prohibit the sending of unprotected primary account numbers (PANs) through end-user messaging technologies such as email, instant messaging, SMS, and chat. This requirement aims to prevent the interception of sensitive cardholder data by malicious individuals who may eavesdrop on these communication channels.
Good Practice / Guidance:
4.2.1 Protection of PANs in End-User Messaging:
If end-user messaging technologies are used to send cardholder data, organizations must ensure that PANs are rendered unreadable or secured with strong cryptography. This can be achieved through techniques such as encryption, tokenization, or masking.
4.2.2 Policy Prohibiting Sending Unprotected PANs:
Organizations should establish and maintain a written policy that prohibits the sending of unprotected PANs via end-user messaging technologies. This policy should be communicated to all relevant personnel and enforced through technical controls and regular monitoring.
To comply with Requirement 4.2, organizations should:
- Identify all instances where end-user messaging technologies are used to send cardholder data.
- Implement processes to render PANs unreadable or secure them with strong cryptography when sent via these technologies.
- Establish and maintain a written policy prohibiting the sending of unprotected PANs.
- Communicate the policy to all relevant personnel and provide training on secure messaging practices.
- Regularly monitor and audit the use of end-user messaging technologies to ensure compliance with the policy.
By adhering to these guidelines, organizations can significantly reduce the risk of cardholder data being intercepted or compromised when sent through end-user messaging technologies.
Requirement 4.3: Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties.
Purpose:
The purpose of Requirement 4.3 is to ensure that organizations have documented security policies and operational procedures for encrypting transmissions of cardholder data and that these policies and procedures are actively implemented and known to all relevant personnel. This requirement aims to maintain a consistent and effective approach to securing cardholder data during transmission and to ensure that all affected parties understand their roles and responsibilities in this process.
Good Practice / Guidance:
4.3.1 Documentation of Security Policies and Procedures:
Organizations should document their security policies and operational procedures for encrypting cardholder data transmissions. These documents should be clear, comprehensive, and easily accessible to all affected parties.
4.3.2 Implementation and Use of Policies and Procedures:
The documented security policies and operational procedures should be actively implemented and followed by all relevant personnel. This means that the policies and procedures should be integrated into the organization's day-to-day operations and that all affected parties should be using them consistently.
4.3.3 Communication and Awareness:
All affected parties should be made aware of and trained on the organization's security policies and operational procedures for encrypting cardholder data transmissions. Regular communication and updates should be provided to ensure that everyone remains informed of any changes or updates to the policies and procedures.
To comply with Requirement 4.3, organizations should:
- Document security policies and operational procedures for encrypting cardholder data transmissions.
- Ensure that these policies and procedures are actively implemented and followed by all relevant personnel.
- Provide training and regular communication to all affected parties on the policies and procedures.
- Regularly review and update the policies and procedures to maintain their effectiveness and relevance.
By documenting, implementing, and maintaining effective security policies and operational procedures for encrypting cardholder data transmissions, organizations can demonstrate their commitment to data security and maintain compliance with the PCI DSS standard.
