[PCI-DSS] 4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.

[admin]

[PCI-DSS] 4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.

Examples of open, public networks that are in scope of the PCI DSS are:

• The Internet,
• Wireless technologies,
• Global System for Mobile communications (GSM), and
• General Packet Radio Service (GPRS).

4.1.a Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks

• Verify that strong encryption is used during data transmission
• For SSL implementations:
  • Verify that the server supports the latest patched versions.
  • Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).
  • Verify that no cardholder data is required when HTTPS does not appear in the URL.
• Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit.
• Verify that only trusted SSL/TLS keys/certificates are
• Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.)

[supathak]

Is there any possible Compensating Control for Requirement#4?

[gdimitrov]

Should the transmission of cardholder data in the local network be encrypted? Example DB<->application and application1<->application2.

Of course all applications and the DB are isolated with firewall from the internet. There is only limited access to the servers for some administrators over secure connection, and of course there is a web interface to the application server from Internet (through some kind of transparent proxy). The DB servers are not accessible from Internet directly.

Thank you.

[Roger Nebel]

The current standard does not specifically require encryption of local area network traffic containing sensitive card holder data. Right now only public network traffic (i.e., the Internet) and stored data must be encrypted. However, if you look at the last few compromises they have mostly been based on local area network sniffing of unencrypted traffic. Yes, malware was allowed in and, yes, data was allowed out - both of which are banned by PCI. In my opinion encrypting local area network traffic which includes sensitive card holder data should be a requirement.