FAQ #1075 Diff
Is it permissible to use self-decrypting files for encryption to send cardholder data?
Earlier Version
Later Version
Removed
Added
PCI DSS Requirement 4.1 states that transmission of cardholder data over an open or public network must be secured using strong cryptography and security protocols. Examples provided in the requirement 4.1 states that transmissioninclude TLS, IPSEC, and SSH.
There may also be other protocols and processes that can meet the intent ofcardholder data over a ?public? networkthis requirement. Whichever method is used, it must be encrypted. This can be accomplished through protocols such as SSL or through other processes that should be reviewed by a Qualified Security Assessor (QSA)meet all applicable requirements, including that only secure versions and configurations are supported, and that the proper encryption strength is implemented for the encryption methodology in use.
Refer toensure full effectiveness. The QSA would determine, among other things, that the selected solution is robust enough to withstand common attacks (perthe PCI DSS requirements). For questions about whether a specific implementation is consistent with the standard or is ‘compliant’ with a requirement, please contact a Qualified Security Assessor (QSA). A listand PA-DSS Glossary of QSAs can be found at www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf.Terms, Abbreviations, and Acronyms for additional information regarding ?strong cryptography?.
There may also be other protocols and processes that can meet the intent of
Refer to
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.