Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks

PCI DSS 4.0.1 introduces three key clarifications: 1) Explicit requirement for TLS 1.2+ with perfect forward secrecy (PFS) for all new implementations, 2) Mandated inventory of all cryptographic protocols and certificates with expiration tracking, and 3) Expanded guidance for protecting data in serverless architectures and API gateways. The update clarifies that disk-level encryption doesn't satisfy transmission security needs and requires application-layer encryption for PAN in motion. New guidance addresses quantum-resistant algorithms for long-term key protection.

All internal networks transmitting PAN must implement IPSec or equivalent encryption if they: 1) Share infrastructure with public-facing systems, 2) Contain wireless access points, or 3) Process authentication data. Organizations must maintain network segmentation evidence showing encrypted pathways between CDE zones. PCI DSS 4.0.1 specifically requires annual penetration testing of internal encryption controls using tools like Wireshark and Metasploit to validate protocol security.

Mandatory protocols include: TLS 1.2 (with AEAD ciphers like AES-GCM), SSHv2, and IPsec/IKEv2. PCI DSS 4.0.1 explicitly prohibits SSLv3, TLS 1.0/1.1, and weak ciphers (RC4, DES). For legacy systems, organizations must implement protocol wrappers like stunnel or hardware security modules (HSMs) for protocol translation. Cloud implementations require AWS Network Load Balancers with TLS termination or Azure Application Gateways using TLS 1.3.

Organizations must maintain: 1) Cryptographic architecture diagrams showing encryption states across all network hops, 2) Certificate inventories with expiration dates and key strengths (minimum RSA 2048/ECC 224), 3) TLS configuration templates for web servers (e.g., Mozilla Modern profile), 4) Wireless network security policies detailing WPA3-Enterprise implementations, and 5) Quarterly vulnerability scan reports validating protocol configurations. PCI DSS 4.0.1 requires annual review of cryptographic standards against NIST SP 800-175B guidelines.

Cloud implementations must: 1) Use provider-managed TLS certificates (AWS ACM, Azure Key Vault), 2) Implement mutual TLS (mTLS) for microservices communication, 3) Enable HSTS with preload directives for web applications, and 4) Utilize service mesh architectures (Istio, Linkerd) for east-west traffic encryption. For serverless functions, organizations must enforce runtime encryption using AWS Lambda layers with BoringSSL or Azure Functions TLS 1.3 enforcement. PCI DSS 4.0.1 mandates quarterly attestation of cloud security groups and NACL rules.

We maintain TLS 1.2/1.3 configurations using OpenSSL 3.0+ with the following parameters: - Ciphersuites: TLS_AES_256_GCM_SHA384 - Certificate signatures: ECDSA-secp384r1-SHA384 - OCSP stapling enabled with 24-hour refresh. Certificates are managed through HashiCorp Vault with 90-day rotation, stored in AWS S3 encrypted with KMS. Weekly scans using Qualys SSL Labs validate configurations across 15,000+ endpoints. Our dashboard shows 99.8% compliance with PCI-approved protocols, with exceptions documented for legacy POS systems protected by network segmentation.

We implement protocol lockdown through: 1) AWS Network Firewall with TLS inspection rules rejecting SSLv3 handshakes, 2) NGINX ingress controllers enforcing TLS 1.2+ via config maps, 3) Windows Group Policy disabling weak ciphers across 25,000 endpoints, and 4) F5 BIG-IP LTM terminators with iRules® blocking deprecated protocols. Monthly audits using Nessus verify no protocol downgrade vulnerabilities. For legacy medical devices, we use Palo Alto firewalls with SSL decryption and re-encryption using modern ciphers.

Our wireless security framework includes: 1) Aruba ClearPass enforcing WPA3-Enterprise with 802.1X authentication, 2) RADIUS servers using EAP-TLS with client certificates, 3) Wireless IPS blocking rogue access points, and 4) Quarterly airgap testing using Kismet and Aircrack-ng. We maintain heatmaps showing 100% 5GHz coverage in CDE areas with -67dBm minimum signal strength. Packet captures from last penetration test show zero plaintext PAN transmissions across 450 APs. Cloud-managed Meraki APs have firmware auto-updated with critical patches within 72 hours.