PCI 4:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks.




  • Note that this does not apply to those employees and other parties with a specific need to see full credit card numbers.




PCI-4.1 Use strong cryptography and encryption techniques (at least 128 bit) such as Secure Sockets Layer (SSL), Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPSEC) to safeguard sensitive cardholder data during transmission over public networks.


Verify the use of encryption (e.g., SSL) wherever cardholder data is transmitted or received over the Internet by performing the following:


  • Verify that at least 128 bit encryption is used during data transmission.
  • For SSL implementations, verify that HTTPS appears as a part of the browser Universal Record Locator (URL), and that no cardholder data was required when HTTPS did not appear in the URL.
  • Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit.
  • Verify that only trusted SSL keys/certificates are accepted.


Verify that, for the encryption methodology in use, the proper encryption strength is implemented. For example:



PCI-4.1.1 For wireless networks transmitting cardholder data, encrypt the transmissions by using Wi-Fi Protected Access (WPA) technology if WPA capable, or VPN or SSL at 128-bit. Never rely exclusively on WEP to protect confidentiality and access to a wireless LAN. Use one of the above methodologies in conjunction with WEP at 128 bit, and rotate shared WEP keys quarterly and whenever there are personnel changes.




PCI-4.2 Never send cardholder information via unencrypted e-mail.


  • Maintain a Vulnerability Management Program.


Use this illustration to determine what and where card data is permitted by PCI DSS.

--Mdpeters 08:33, 7 July 2006 (EDT)