# 4.2.1.1 An inventory of the entity's trusted keys and certificates used to protect PAN during transmission is maintained.
Defined Approach Requirements
4.2.1.1 An inventory of the entity's trusted keys and certificates used to protect PAN during transmission is maintained.
Customized Approach Objective
All keys and certificates used to protect PAN during transmission are identified and confirmed as trusted
Defined Approach Testing Procedures
4.2.1.1.a Examine documented policies and procedures to verify processes are defined for the entity to maintain an inventory of its trusted keys and certificates. 4.2.1.1.b Examine the inventory of trusted keys and certificates to verify it is kept up to date.
Purpose
The inventory of trusted keys helps the entity keep track of the algorithms, protocols, key strength, key custodians, and key expiry dates. This enables the entity to respond quickly to vulnerabilities discovered in encryption software, certificates, and cryptographic algorithms.
Good Practice
For certificates, the inventory should include the issuing CA and certification expiration date.
purpose
Ensure PAN is rendered unreadable using strong cryptography whenever transmitted over open, public networks.
compliance strategies
- TLS 1.2+ for all transmissions
- VPNs for remote access
- End-to-end encryption
typical policies
- Encryption Policy
- Network Security Policy
common pitfalls
- Use of outdated protocols (e.g., SSL, early TLS)
- Unencrypted transmission paths
type
Technical Control
difficulty
Moderate
key risks
- Interception of cardholder data
recommendations
- Regularly scan for unencrypted transmission paths
Eligible SAQ
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy