This blog is part of a blog series on the 12 PCI DSS Requirements. We discuss the common challenges and explain what kind of evidence is needed to comply with the requirement.
‘Encrypt transmission of CHD across open, public networks’
Malicious individuals can exploit the vulnerabilities of public or wireless networks that are misconfigured or have the legacy encryption to gain privileged access to the cardholder data environment.
Requirement 4 has to protect all sensitive information during transmission over open or public networks and over wireless networks. This is the place where sensitive information is easily accessed by malicious individuals.
3 steps to consider
We will explain the main challenges and steps that must be considered in order to comply with this requirement:
1) Implement only strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.
The SSL and early TLS protocol are no longer safe, this is the reason that PCI DSS asks for implementing the latest TLS version and disable the old versions and insecure protocols.
2) Implement the strong cryptography for authentication and transmission of cardholder data over wireless networks or access other internal networks or internal data.
In addition, you must:
- implement the hardening configuration on the wireless networks;
- have knowledge of all best practices of industry-accepted system hardening standards like Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS) Institute, National Institute of Standards Technology (NIST);
- include the recommendation of all technology providers.
3) Never send unprotected PANs by end-user messaging technologies such as email, instant messaging, SMS, chat, etc. unless they are configured to provide strong encryption. These technologies can be easily intercepted by packet-sniffing during delivery across on internal or public networks.
It is important to keep informed about the new vulnerabilities that affect those protocols that were considered safe in the past and have ceased to be so.
Read more about:
PCI DSS requirement 1: Protecting Cardholder data environment
PCI DSS requirement 2: Change your defaults
PCI DSS requirement 3: Don’t store cardholder data
PCI DSS requirement 4: Encryption
PCI DSS requirement 5: Update and Scan
PCI DSS requirement 6: Develop and maintain secure systems and applications
PCI DSS requirement 7: Restrict access to CHD
PCI DSS requirement 8: Identify, Authenticate, and Authorize
PCI DSS requirement 9: Restrict physical access to Cardholder data