PCI (Payment Card Industry Security Standard)
Encrypt transmission of cardholder data across open, public networks
Req 4.1
4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open public networks including the following: – Only trusted keys and certificates are accepted. – The protocol in use only supports secure versions or configurations. – The encryption strength is appropriate for the encryption methodology in use. Note: where SSL/early TLS is used the requirements in appendix A2 must be completed.
Sensitive information must be encrypted during transmission over public networks because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates a secure protocol for transport and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength and that would result in an insecure connection should not be accepted. Note that some protocol implementations (such as SSL SSH v1.0 and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection?for example by using only trusted certificates and supporting only strong encryption (not supporting weaker insecure protocols or methods). Verifying that certificates are trusted (for example have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally the web page URL should begin with “HTTPS” and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal?sometimes referred to as a ?security seal? “secure site seal” or ?secure trust seal?)?which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g. NIST SP 800-52 and SP 800-57 OWASP etc.)
Click here to Start your FREE trial today!
What is a Cybersecurity Compliance Framework?
You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.
With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.
The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:
- CMMC v2
- HIPAA
- NERC CIP-002 through CIP-014 Revision 6
- NIST 800-171
- NIST 800-172
- PCI (Payment Card Industry Security Standard)
- SOC 2
- NIST 800-53
- NIST SP800-161 Supply Chain Risk Management
- NIST-CSF
- CIS Framework Controls V8
Click here to Start your FREE trial today!