PCI-4.1.1:
- Use strong cryptography and encryption techniques (at least 128 bit) such as Secure Sockets Layer (SSL), Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPSEC) to safeguard sensitive cardholder data during transmission over public networks.
- Verify the use of encryption (e.g., SSL) wherever cardholder data is transmitted or received over the Internet by performing the following:
- Verify that at least 128 bit encryption is used during data transmission.
- For SSL implementations, verify that HTTPS appears as a part of the browser Universal Record Locator (URL), and that no cardholder data was required when HTTPS did not appear in the URL.
- Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit.
- Verify that only trusted SSL keys/certificates are accepted.
- Verify that, for the encryption methodology in use, the proper encryption strength is implemented. For example:
- 3DES: 128 bits
- Advanced Encryption Standard (AES): 256 bits
- RSA: 1024 bits
- Check vendor recommendations and best practices for other encryption methodologies.
- PCI-4.1.1: For wireless networks transmitting cardholder data or connected to cardholder environments, verify that:
- Appropriate encryption methodologies are in use for any wireless transmissions, such as: VPN, SSL/TLS at 128 bit, WEP (Wired Equivalency Protocol) at 128 bits, and/or WPA.
- If WEP is used, verify processes are in place to rotate shared WEP keys at least quarterly and whenever key personnel leave.
- If WEP is used, verify that another methodology is in use, in addition to WEP, to protect the data.
- For automated key rotation processes, verify that keys change every 10-30 minutes.
Testing Procedures
Insert testing guidance here.
Testing Frequency
Describe testing frequency here.
Evidence Archive Location
Insert hyperlink or location of evidence archive.
Control Stewards Process Narrative
Provide control steward commentary indicating the formal methodology in place.
Control Steward – Jon Doe
Process Illustration
Replace this test by inserting a process diagram, flowchart or other visual representation to illustrate the process narrative as necessary. Include a brief description of the process illustration.
Control Status and Auditors Commentary
The control is effective.
File:Greenlock.jpg
Status is acceptable.
Control Exception Commentary
Status is acceptable.
Remediation Plan
Remediation is not required at this time.
--Mdpeters 12:46, 28 February 2007 (EST)