PCI Requirement 4.1 – Use Strong Cryptography & Security Protocols to Safeguard Sensitive CHD

Learn more at https://kirkpatrickprice.com/video/pci-requirement-4-1-use-strong-cryptography-security-protocols-safeguard-sensitive-chd-transmission/ If your organization transmits sensitive cardholder data over an open or public network, that data must be encrypted using strong cryptography and security protocols, according to PCI Requirement 4.1. Examples of open, public networks include the Internet, Bluetooth, cell phones/GSM, wireless Internet, etc. The purpose of this requirement is to prevent attackers from obtaining data while in transit, which is a common practice. Best practices for safeguarding sensitive cardholder data during transmission include: • Only use trusted keys and certificates associated with the encryption. If a certificate has expired or is not issued by a trusted source, do not accept it. • Any security protocols in use should only support secure versions or configurations; if not, the known vulnerabilities of a protocol could be exploited by an attacker. This also prevents an insecure connection. Any connection that could result in an insecure connection cannot be accepted. An example of an insecure protocol is WEP, which cannot be used for security. • The encryption strength is appropriate for the encryption methodology in use. • Documentation should define all places where cardholder data is transmitted or received over open, public networks. • Documentation should outline a process for acceptance of trusted keys and certificates, how the implemented security protocols only support secure versions or configurations, and why the encryption strength is appropriate. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/