-
This requirement is designed to protect cardholder data and SAD when transmitted over unprotected networks—such as the internet—where it can be vulnerable to interception.
Requirement 4: Protect cardholder data with strong cryptography during transmission
- 2022 PSR
- Introduction
- Executive Summary
- The Compliance Landscape
- Commentary
- The State of Compliance
- Requirement 1 Install and Maintain Network Security Controls
- Requirement 2 Apply Secure Configurations to all System Components
- Requirement 3 Protect Stored Account Data
- Requirement 4 Protect Cardholder Data with Strong Cryptography
- Requirement 5 Protect All Systems and Networks from Malicious Software
- Requirement 6 Develop and Maintain Secure Systems and Software
- Requirement 7 Restrict Access to System Components
- Requirement 8 Identify Users and Authenticate Access
- Requirement 9 Restrict Physical Access to Cardholder Data
- Requirement 10 Log and Monitor System Components and Cardholder Data
- Requirement 11 Test Security of Systems and Networks Regularly
- Requirement 12 Support Information Security with Organizational Policies and Programs
- Bottom-20 Lists
- Methodology
- Appendices
- Download the full report (PDF)
Please provide the information below to view the online Verizon Payment Security Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
-
Figure 12. Global state of PCI DSS compliance: Requirement 4
-
Full compliance: A slight improvement on full compliance from 86.4% to 90.8%—exceeding 90% for the first time in over five years.
In terms of long-term trends, Requirement 4 consistently maintains a highest level of full compliance, together with Requirements 7 and 5.
Control gap: The control gap narrowed to 2.1%, to the lowest level in more than five years. Requirement 4 has the least amount of controls across the PCI DSS—with only three controls and 12 test procedures.
Compensating controls: In the 2020 dataset, the use of compensating controls reached nearly zero. Historically, the use of compensating controls remains consistently very low for this requirement.
-
Figure 13. Requirement 4 control performance
-
-
A tip on sustainable control effectiveness
Ensure that wireless networks are configured to support strong encryption for authentication and transmission. Wired Equivalent Privacy (WEP) and Secure Sockets Layer (SSL) are not considered secure and must be removed from all existing wireless network configurations and other components. Automate the detection and reporting of unknown and rogue wireless access points. Maintain a capability to effectively monitor and respond to detection alerts; measure and report control performance over time.
-
Requirement 4: Protect cardholder data with strong cryptography during transmission
The goal
The goal of PCI DSS Key Requirement 4 is to develop, execute and maintain a sustainable capability for the effective monitoring and protection of CHD across the CDE, through the application of strong cryptography to protect Primary Account Numbers (PANs) during transmission of the PAN over open, public networks.
This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems, and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.Goal applicability and scope considerations
- The goal applies to all system components across the CDE where any PAN is transmitted over open, public networks, such as the internet, messaging systems or wireless technologies, including Wi-Fi, Bluetooth®, cellular technologies, satellite communications and General Packet Radio Service (GPRS) components
- It also applies to all security system components (technology and people) that support the security controls needed to meet this key requirement, such as systems that support security certificates, cryptographic systems, and logging and monitoring systems
Goal requirements:
Some of the primary conditions necessary to achieve the goal
- Documentation and processes: Maintain effective standard operating procedures with clearly articulated standards, roles and responsibilities. Regularly train and educate staff on how to follow the documented procedures. Internally monitor and report adherence to procedures
- Competency: The correct design, implementation, operation and maintenance of strong cryptography and certificate systems for securing data in transit or in motion; safeguarding CHD before and during transmission of the PAN over open, public networks
- Capability—scope management: The ability to continuously identify, monitor and improve all system components where the PAN is transmitted over open, public networks, to meet and maintain the compliance requirements. Internally monitor and report scope nonconformity and violations
Strong dependencies and integration with other key requirements
- Requirement 6: Integration with system-hardening requirements
- Requirements 7 & 8: Secure authentication and access control to components that store CHD
- Requirement 10: Logging and monitoring of components that store CHD and related security systems
- Requirement 11: The testing of components that store CHD and related security systems
- Requirement 12: Ongoing contractual management of third-party data security responsibilities
Short-term objectives
- Capability—scope and automation: Implement and maintain a system for the effective, automatic identification and reporting of the configuration and security status of all components that transmit CHD
- Capability—detect and respond: Develop and improve the ability to rapidly detect and respond to any clear-text transmission of the PAN from within the organization over open, public networks
Long-term objectives
- Improvement: Improve and refine configurations, integration, support processes, documentation and training on all relevant system components
- Maturity: Achieve and maintain high- capability maturity and performance on all the protection of CHD during transmission, with low deviation from configuration standards, and high capability for the rapid detection and correction of configuration nonconformities across the CDE
Common constraints
- Competency—scope management: Failure to include all applicable wireless technologies in the scope of compliance and validation
- Competency—security proficiency: Insufficient mastery of cryptographic industry standards, cryptography implementation and key management procedures, improper comprehension or inconsistent operation of security certificate management procedures, ineffective maintenance of cryptographic architecture and infrastructure
- Capability—secure operations: Ineffective design, operation and management of secure end-user messaging technologies
- Cost and Capacity: The cost and effort of upgrading outdated cryptographic protocols across a large environment with many affected components