PCI DSS Requirement 4: Protect Cardholder Data During Transmission Over Public Networks
Vulnerabilities in legacy encryption and authentication protocols for wireless networks are often targeted by malicious individuals aiming to gain access to cardholder data environments (CDE). Merchants using strong encryption gain greater assurance that data confidentiality will be preserved, especially when dealing with unknowns like open, public networks.
To protect data against potential compromise, CHD (including, most importantly, PAN) should be encrypted during transmission over open networks and public networks that are easily accessed by attackers.
Any transmissions of cardholder data over an organization’s internal network(s) will naturally bring that network into scope for PCI DSS since that network stores, processes, or transmits cardholder data. Therefore, these networks must be evaluated and assessed against all applicable PCI DSS requirements.
For additional details on all 12 of the Requirements, read our PCI DSS Requirements overview.
Requirement 4 Details and Sections
PCI DSS Requirement 4 has two sections covering the security of cardholder data over public networks.
The requirement sections are:
- Requirement 4.1: Processes and means of protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented.
- Requirement 4.2: PAN is protected with strong cryptography during transmission.
Requirement 4.1: Processes and means of protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented.
This section details how to manage and maintain the various policies specified in Requirement 4 effectively. It states that not only should these procedures be defined, but they should also be documented, updated, and shared with the appropriate parties.
As a good practice, merchants should always update these - and all PCI-dependent - policies as needed whenever changes in processes, technologies, and business objectives occur.
Defined approach requirements include:
- Requirement 4.1.1: All security policies and operational procedures that are identified in Requirement 4 are documented, up-to-date, in-use, and known to all impacted parties.
- Requirement 4.1.2: Roles and responsibilities for performing activities in Requirement 4 are documented, assigned, and understood.
Requirement 4.2: PAN is protected with strong cryptography during transmission.
Because it is common for malicious parties to intercept data while in transit, sensitive information must be encrypted when being transmitted over public networks. Requirement 4.2 details the approach that merchants must take to secure data while in transit.
Defined approach requirements include:
- Requirement 4.2.1: Strong cryptography and security protocols exist to safeguard PAN during transmission over open, public networks, including:
- Accepting only trusted keys and certificates.
- Confirming that certificates used to safeguard PAN during transmission over open, public networks are valid and not expired or revoked.
- Supporting only secure configurations through the protocol in use and not using insecure versions or implementations.
- Ensuring encryption strength is appropriate for the encryption methodology used.
- Requirement 4.2.1.1: Companies must maintain an inventory of trusted keys and certificates used to protect PAN during transmission.
- Requirement 4.2.1.2: Wireless networks transmitting PAN or connected to the CDE must use industry best practices of strong cryptography for authentication and transmission.
- Requirement 4.2.2: PAN is secured with strong cryptography whenever sent via end-user messaging technologies.
How Basis Theory can help you Satisfy PCI DSS Requirement 4
Keeping cardholder data secure while in transit can be difficult for even the most sophisticated companies, given that the unknowns of open networks can pose unpredictable challenges.
The first step in keeping this CHD secure is to use a cardholder data environment to store all the sensitive data. CDEs satisfy many PCI DSS requirements and provide companies greater control and flexibility over their payment stack. However, building and maintaining the necessary infrastructure and programs can require hundreds of thousands of dollars and months to implement and assess. Basis Theory provides the platform, infrastructure, and tools to secure cardholder data in minutes and without these costs and distractions.
As a PCI Level 1 compliant service provider, Basis Theory extends an independently assessed and approved CDE to customers. Combined with a suite of configurable tools, services, and tokens, companies can collect, secure, and share credit cards without bringing their systems into scope. This approach allows companies to avoid the costs and distractions associated with 95% of the requirements in the Payment Card Industry Data Security Standard (PCI DSS) while retaining complete control over their cardholder data.
*PCI DSS Requirement information contained in this post is for educational purposes only and references material from the guide "Payment Card Industry Data Security Standard: Requirements and Testing Procedures, v4.0" published by the PCI SSC in March 2022. Please refer to the PCI Security Standards Council website for the complete, up-to-date, accurate requirements.