4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks

Requirement 4.1

Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented.

When you use wireless technology with IBM® Safer Payments, you must ensure that

  • Industry best practices (for example, IEEE 802.11i) are used to include or make available strong encryption for authentication and transmission.
  • PCI DSS requirement 2.3.1 is fully met.

IBM Safer Payments allows to send PANs or other sensitive data by end user messaging technologies. For such notifications and case actions, a configuration option ensures that only masked sensitive data are sent out, according to PCI DSS Requirement 3.4.1. In consequence, requirement 4.1 is met.

If you use PANs or other sensitive data in notifications or case actions, you must activate encryption and enable masked PAN. For more information about how to turn masking of PANs or other sensitive data on, see Data encryption configuration.

Requirement 4.2.1

Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks:
  • Only trusted keys and certificates are accepted.
  • Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes for details.
  • The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
  • The encryption strength is appropriate for the encryption methodology in use.

To comply with this requirement, all IP communication must be protected by strong cryptography and security protocols. For example, by only using TLSv1.2 or higher, SSH-2, IPSEC, all with at least 128-bit encryption. This can be achieved by using the internal SSL encryption function of IBM Safer Payments and using multi-factor authentication. For more information, see Configuring SSL encryption.

Requirement 4.2.1.2

Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission.

When you use wireless technology with IBM Safer Payments, you must ensure that

  • PCI DSS requirement 2.3.1 is fully met.
  • PCI DSS requirement 4.1 is fully met.