You are here

Requirement 4: encrypt transmission of cardholder data

Subscribe to Syndicate
Encrypt transmission of cardholder data across open, public networks

Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments.

Section PCI Requirement Comments
4.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
  • Only trusted keys and certificates are accepted.
  • The protocol in use only supports secure versions or configurations.
  • The encryption strength is appropriate for the encryption methodology in use

Examples of open, public networks that are in scope of the PCI DSS include but are not limited to:

  • The Internet
  • Wireless technologies including 802.11 and Bluetooth
  • Global System for Mobile communications (GSM)
  • General Packet Radio Service (GPRS).
  • Satellite communications
See Direct Card Processing which all use HTTPS.

Theatre Manager uses TLS 1.2 wherever possible to connect to credit card authorization servers for one time authorization and only allows TLS 1.2 or later for incomming web sales.

Theatre Manager does not use any wireless communication methodologies of any form.

Theatre Manager does not transmit any credit card information across public networks for any reason except in the process of authorization

4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i - aka WPA2) to implement strong encryption for authentication and transmission.

Note: The use of WEP as a security control is prohibited.

Theatre Manager does not use or require wireless capability when transmitting any card data. Refer to venue lan setup and considerations for separate wireless access points
4.2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.). see misc PCI requirements
4.3 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. Venues are advised during installation of this requirement.