Skip to main content

💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.

  • ID: /frameworks/pci-dss-v3.2.1/04/01

Description

Including the following:

  • Only trusted keys and certificates are accepted.
  • The protocol in use only supports secure versions or configurations.
  • The encryption strength is appropriate for the encryption methodology in use.

Examples of open, public networks include but are not limited to:

  • The Internet
  • Wireless technologies, including 802.11 and Bluetooth
  • Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA)
  • General Packet Radio Service (GPRS)
  • Satellite communications

Similar

  • Sections
    • /frameworks/pci-dss-v4.0/04/02/01
    • /frameworks/aws-fsbp-v1.0.0/elb/01
    • /frameworks/aws-fsbp-v1.0.0/s3/05
  • Internal
    • ID: dec-c-eaf8f1ac

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPSno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.5] S3 general purpose buckets should require requests to use SSL11no data
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.2922no data

Similar Sections (Give Policies To)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.2922no data

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices to implement strong encryption for authentication and transmission.1no data

Policies (22)

PolicyLogic CountFlagsCompliance
🛡️ AWS ACM Certificate expires in the next 7 days🟢1🟢 x6no data
🛡️ AWS ACM RSA Certificate key length is less than 2048 bits🟢1🟢 x6no data
🛡️ AWS CloudFront Web Distribution Cache Behaviors allow unencrypted traffic🟢1🟢 x6no data
🛡️ AWS CloudFront Web Distribution uses Dedicated IP for SSL🟢1🟢 x6no data
🛡️ AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Origins🟢1🟢 x6no data
🛡️ AWS DMS Endpoint doesn't use SSL🟢1🟢 x6no data
🛡️ AWS IAM Server Certificate is expired🟢1🟢 x6no data
🛡️ AWS KMS Symmetric CMK Rotation is not enabled🟢1🟢 x6no data
🛡️ AWS S3 Bucket Policy is not set to deny HTTP requests🟢1🟢 x6no data
🛡️ Azure App Service FTP deployments are not disabled🟢1🟢 x6no data
🛡️ Azure App Service HTTPS Only configuration is not enabled🟢1🟢 x6no data
🛡️ Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key🟢1🟢 x6no data
🛡️ Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON🟢1🟢 x6no data
🛡️ Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON🟢1🟢 x6no data
🛡️ Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled🟢1🟢 x6no data
🛡️ Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled🟢1🟢 x6no data
🛡️ Azure Storage Account Secure Transfer Required is not enabled🟢1🟢 x6no data
🛡️ Azure Unattached Managed Disk is not encrypted with Customer-managed key🟢1🟢 x6no data
🛡️ Azure Virtual Machine OS and Data disks are not encrypted with Customer-managed key🟢1🟢 x6no data
🛡️ Google Cloud SQL Instance SSL Connections are not enforced🟢1🟢 x6no data
🛡️ Google GCE Instance Block Project-Wide SSH Keys is not enabled🟢1🟢 x6no data
🛡️ Google HTTPS or SSL Proxy Load Balancer permits SSL policies with weak cipher suites🟢⚪🟢 x2, ⚪ x1no data

Internal Rules

RulePoliciesFlags
✉️ dec-x-14f5fc251
✉️ dec-x-75db76ad1
✉️ dec-x-791dab131
✉️ dec-x-4002ecfe1
✉️ dec-x-995424b72
✉️ dec-x-c0a7793e1
✉️ dec-x-d5fbfc401
✉️ dec-x-d95ea48b1