PCI Resources
A structured approach to the PCI standards

PCI DSS Requirement 4

Requirement 4, along with requirement 5, are the shortest requirements in PCI DSS. Requirement 4's focus is on the protection of any transmission of CHD.

Requirement 4.1 mandates that we must use strong encryption when transmitting cardholder data over open, public networks (also called 'untrusted' networks, most often meaning the internet). PCI DSS defers to the NIST in regards to acceptable strong encryption ciphers, but PCI DSS 3.2 clearly spells out that all versions of SSL (replaced by TLS), TLS 1.0 and SSH 1.0 are no longer considered secure, but more recent versions of those protocols are usable (e.g. TLS 1.1 and later, SSH 2.0). Organizations still using those insecure protocols need to move to newer secure ones as soon as possible but at most by June 30, 2018 (see appendix A2 of PCI DSS 3.2 for more detail).

Since open public networks are outside the control of the organization and a well-placed attacker may be able to intercept and eavesdrop on the communication, we need to secure the communications on networks where we have no control. This can be done by using encrypted communication channels such as VPN (site-to-site or point-to-point), using dedicated private links, or an encrypted communication channel (such as an HTTPS or SFTP connection).

Open, public networks include, but are not limited to the Internet, wireless networks, and bluetooth connections. For Multiprotocol Label Switching (MPLS) networks, which are often used to provide connectivity between various physical sites (data centers, branches, etc.), the details of the implementation determine whether the network is considered public or private (this is covered in FAQ 1045).

Wireless networks are at greater risk since an attacker need not be physically present onsite to access them, and must therefore also use strong encryption, which generally means using WPA/WPA2 protocols. Again, NIST is the authoritative source for strong encryption.

The PAN (and SAD) should also never be sent through email, instant messaging, chats and other applications of that nature (4.2).

We could also include requirements 2.3 and 8.2.1 (the transmission portion of the passsword) within the transmission requirements.

Further Readings