This is the fourth blog in a 12-part series addressing each PCI DSS Requirement and the challenges faced by companies going through this process. To read previous posts in this series, click on the links below:
Requirement 4 – Encrypt Transmission, the SSL/TLS Requirement
Requirement 4 states that sensitive data must be encrypted when traveling over open public networks. If you are sending data, i.e. payment card data, to another entity or a processor through an entity, this data must travel on secured internet connections. There are ways as a user to see if this is happening. Ensuring the site you are on is using HTTPS in the address is one way. Another way is most web browsers will have a warning page if the site does not contain the appropriate certificate or if that certificate is expired. What PCI compliant business entities must do is ensure proper communication channels are secured. In some cases, a payment gateway is used or developed, and secure ports and authentication mechanisms must be in place to the processor. Further steps like ensuring only the gateway’s internal IP can only connect to the processor’s IP addresses will add another layer of protection to the transmission.
Some common challenges that companies face within this requirement, due to its technical nature, include:
- Outdated Versions of SSL/TLS - Removing the old versions of SSL/TLS is a challenge to some companies. The reason being in some cases is the tight integration with internal and external systems. All the connections must be changed to the latest SSL/TLS versions (TLS v1.2).
- POI Devices - If POI (Point of Interaction) terminals are in use, the task of deploying patches can be very cumbersome. If IT resources are limited, the timeliness of patching may be slow and could leave some terminals vulnerable to attack.
- Cryptography - The general complexity of cryptography itself can be a burden for some entities. Not having staff well versed and truly understanding of cryptography could leave the business vulnerable to threats in this area. There are many communication mechanisms in use that must have encryption in place. Email, SMS, Chat and Instant Messaging must have encrypted transmission enabled.
These challenges are just some of the areas within the PCI DSS requirements that many of our client’s face. Another area where our client’s experience challenges are keeping track of the various requirements that must be completed on a quarterly, semi-annual, and annual basis for PCI Compliance. Therefore, Compass IT Compliance has created our PCI Compliance checklist, one for service providers and one for merchants. This simple, easy to use checklist gives you the PCI requirements, what you must do to achieve/maintain compliance, and how often you need to complete each requirement. To download your copy today, click on the button below!