You are here

Requirement 4: Encrypt transmission of cardholder data

Subscribe to Syndicate
Encrypt transmission of cardholder data across open, public networks

Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments.

Section PCI Requirement Comments Provided by Artsman Cloud
4.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
  • Only trusted keys and certificates are accepted.
  • The protocol in use only supports secure versions or configurations.
  • The encryption strength is appropriate for the encryption methodology in use

Examples of open, public networks that are in scope of the PCI DSS include but are not limited to:

  • The Internet
  • Wireless technologies including 802.11 and Bluetooth
  • Global System for Mobile communications (GSM)
  • General Packet Radio Service (GPRS).
  • Satellite communications
See Direct Card Processing which all use HTTPS.

Theatre Manager uses TLS 1.2 wherever possible to connect to credit card authorization servers for one time authorization and only allows TLS 1.2 or later for incomming web sales.

Theatre Manager does not use any wireless communication methodologies of any form.

Theatre Manager does not transmit any credit card information across public networks for any reason except in the process of authorization

SPLIT
  • Artsman: Uses TLS 1.2 and TLS 1.3, when available.
  • Customer: Must ensure that all workstations support TLS 1.2+
4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i - aka WPA2) to implement strong encryption for authentication and transmission.

Note: The use of WEP as a security control is prohibited.

Theatre Manager does not use or require wireless capability when transmitting any card data. Refer to venue lan setup and considerations for separate wireless access points NO - If customer is using wireless networks to access cloud services, then they must secure them appropriately
4.2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.). see misc PCI requirements N/A - authorization of cards is only supported in Theatre Manager
4.3 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. Venues are advised during installation about this requirement including not saving CVV2 and protecting card data in a safe if written down.

You will need write a policy on how you manually save CC data, how you track who has access to it, how you store it in a safe and/or behind locked doors.

Make sure the policy also includes that you never email card data in entirety and card data on paper is only kept as long as you need it.

Theatre Manager handles all transmission of data via TLS 1.2 or better (it only users the latest transmission security protocols as mandated by PCI.)

NO - Customer must educate own staff on card handling policies