The goal
|
The goal of PCI DSS Key Requirement 4 is to develop, execute and maintain a sustainable capability for the effective monitoring and protection of CHD across the CDE, through the application of strong cryptography to protect Primary Account Numbers (PANs) during transmission of the PAN over open, public networks.
This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems, and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.
|
Goal applicability and scope considerations
|
- The goal applies to all system components across the CDE where any PAN is transmitted over open, public networks, such as the internet, messaging systems or wireless technologies, including Wi-Fi, Bluetooth®, cellular technologies, satellite communications and General Packet Radio Service (GPRS) components
- It also applies to all security system components (technology and people) that support the security controls needed to meet this key requirement, such as systems that support security certificates, cryptographic systems, and logging and monitoring systems
|
Goal requirements:
Some of the primary conditions necessary to achieve the goal
|
- Documentation and processes: Maintain effective standard operating procedures with clearly articulated standards, roles and responsibilities. Regularly train and educate staff on how to follow the documented procedures. Internally monitor and report adherence to procedures
- Competency: The correct design, implementation, operation and maintenance of strong cryptography and certificate systems for securing data in transit or in motion; safeguarding CHD before and during transmission of the PAN over open, public networks
- Capability—scope management: The ability to continuously identify, monitor and improve all system components where the PAN is transmitted over open, public networks, to meet and maintain the compliance requirements. Internally monitor and report scope nonconformity and violations
|
Strong dependencies and integration with other key requirements
|
- Requirement 6: Integration with system-hardening requirements
- Requirements 7 & 8: Secure authentication and access control to components that store CHD
- Requirement 10: Logging and monitoring of components that store CHD and related security systems
- Requirement 11: The testing of components that store CHD and related security systems
- Requirement 12: Ongoing contractual management of third-party data security responsibilities
|
Short-term objectives
|
- Capability—scope and automation: Implement and maintain a system for the effective, automatic identification and reporting of the configuration and security status of all components that transmit CHD
- Capability—detect and respond: Develop and improve the ability to rapidly detect and respond to any clear-text transmission of the PAN from within the organization over open, public networks
|
Long-term objectives
|
- Improvement: Improve and refine configurations, integration, support processes, documentation and training on all relevant system components
- Maturity: Achieve and maintain high- capability maturity and performance on all the protection of CHD during transmission, with low deviation from configuration standards, and high capability for the rapid detection and correction of configuration nonconformities across the CDE
|
Common constraints
|
- Competency—scope management: Failure to include all applicable wireless technologies in the scope of compliance and validation
- Competency—security proficiency: Insufficient mastery of cryptographic industry standards, cryptography implementation and key management procedures, improper comprehension or inconsistent operation of security certificate management procedures, ineffective maintenance of cryptographic architecture and infrastructure
- Capability—secure operations: Ineffective design, operation and management of secure end-user messaging technologies
- Cost and Capacity: The cost and effort of upgrading outdated cryptographic protocols across a large environment with many affected components
|