PCI DSS Requirement 4: Transmit cardholder data by encrypting it over open, public networks.
When data is transmitted over open and unencrypted public networks, malicious individuals can easily access sensitive data. Therefore, during transmission over open and public networks, sensitive data should be encrypted.
Malformed wireless networks and vulnerabilities in legacy encryption and authentication protocols remain the target for malicious individuals to gain privileged access to cardholder data environments.
PCI DSS Requirement 4.1: Use strong encryption and security protocols to protect sensitive cardholder data during transmission over open, public networks
Since it is very easy for malicious people to capture data during transmission over public networks, encrypted channels should be used to transmit sensitive information.
Reliable keys and certificates are required to transfer cardholder data securely. Secure data transmission protocol and appropriate encryption strength are required to encrypt cardholder data. You should not accept connection requests from systems that do not support the required encryption strength and may cause an unsecured connection.
It should be noted that some protocol applications (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that attackers can use to gain system control. Ensure that only secure versions and settings are configured and enabled to prevent an unsecured connection, whichever security protocol is used.
Configurations should be set to accept only trusted keys and certificates, and only secure versions and protocol configurations used should be supported. Encryption strength must be appropriate for the method of encryption used.
Verifying that the certificates are reliable will also help maintain the secure connection’s validity and integrity.
Examples of open, public networks include wireless technologies such as the Internet, 802.11 and Bluetooth, cellular technologies (GSM, CDMA), GPRS, and satellite communications.
In general, the URL of the web page should start with “HTTPS” and display the padlock icon indicating the encrypted link in the web browser window. Also, many TLS certificate vendors provide a verification seal, also known as “Secure Site Seal.”
For strong encryption and secure protocols, you can review industry standards and best practices, such as NIST SP 800-52, SP 800-57, and OWASP.
PCI DSS Requirement 4.1.1: Identify wireless networks that transmit cardholder data or are connected to the cardholder data environment. Use industry best practices to implement strong authentication and transmission encryption for these networks.
Malicious intruders often target widespread and free wireless networks. Using strong cryptography will help reduce sensitive information leakage over wireless networks because even if attackers access data from wireless networks that use strong encryption, they won’t be able to use it maliciously. After all, the data is encrypted.
Authentication and strong encryption must be transmitted to prevent malicious attackers from accessing wireless networks or data.
First, to check this requirement, identify all your wireless networks that transmit cardholder data or are connected to the cardholder data medium. Check whether the transmission is implemented with authentication and strong encryption for all wireless networks identified. Ensure that weak encryption protocols such as WEP or older version SSL are not used for authentication or transmission.
PCI DSS Requirement 4.2: Never send personal account numbers (PAN) unprotected through end-user messaging technologies.
Attackers can easily monitor End-user messaging technologies such as e-mail, instant messaging, SMS, and chat on local or public networks, and sensitive data can be captured. Do not use these messaging tools to send personal account numbers (PANs) without strong encryption.
Besides, if an enterprise requests personal account numbers (PANs) through end-user messaging technologies, a tool or method should be used to protect personal account numbers (PANs) using strong cryptography or to render personal account numbers (PANs) unreadable before transmission.
A policy should also be established and notified to employees stating that unprotected personal account numbers (PANs) will not be sent through end-user messaging technologies.
PCI DSS Requirement 4.3: Ensure that security policies and operational procedures are documented, in use, and known to all affected parties to encrypt the transmission of cardholder data.
Employees must know and follow security protocols and operating procedures for the continuous management of secure transmission of cardholder data.
For detailed information, see the PCI DSS Quick Reference Guide from the PCI SSC Documentation library.