4.2 PAN is protected with strong cryptography during transmission.

This requirement focuses on ensuring that Primary Account Numbers (PAN) are properly protected with strong cryptography during transmission over networks, particularly open, public networks, to prevent unauthorized access or interception of sensitive cardholder data.

Sub-requirements:

4.2.1: Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks.
- 4.2.1.1: Only trusted keys and certificates are accepted.
- 4.2.1.2: The protocol in use only supports secure versions or configurations.
4.2.2: PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies.

4.2. Cardholder data is protected with strong cryptography during transmission over open, public networks.

Ensure that cardholder data is always encrypted or rendered unreadable when transmitted over open, public networks, and is never sent in clear text.

https://WithPCI.com

Sub-requirements

Test Points

Moderate (3.0)

Implementation Difficulty

Control Types

Technical

Process

Technical: 4

Process: 1

Key Risks

Unencrypted cardholder data in transit

Use of weak or expired encryption protocols

Data leakage via end-user messaging technologies

Frequently Asked Questions

What networks are considered 'open, public networks'?

Any network that is not fully controlled by the organization, such as the Internet, wireless networks, and third-party networks.

What encryption protocols are acceptable for protecting data in transit?

Strong protocols such as TLS 1.2 or higher, with trusted certificates and strong cipher suites.

Can PAN be sent over email, SMS, or chat?

No, unless it is rendered unreadable (e.g., encrypted or tokenized) before transmission.

How do you ensure encryption is always used?

By enforcing technical controls, conducting regular network scans, and monitoring for unencrypted data flows.

What are common mistakes organizations make with Requirement 4.2?

Using outdated protocols, failing to monitor for clear-text transmissions, or not controlling end-user messaging channels.

Common QSA Questions

Can you demonstrate that all cardholder data transmitted over public networks is encrypted?

Yes, we use strong encryption protocols (TLS 1.2+) and regularly test our network to ensure compliance.

How do you manage and monitor your encryption certificates?

We use a certificate management system to track, renew, and monitor all certificates for expiration and validity.

How do you prevent PAN from being sent via end-user messaging technologies?

We use DLP solutions, user training, and technical controls to block or encrypt PAN in all messaging channels.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.