Skip to main content

πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.

Description​

As following:

  • Only trusted keys and certificates are accepted.
  • Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details.
  • The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
  • The encryption strength is appropriate for the encryption methodology in use.

Similar​

  • Sections
    • /frameworks/pci-dss-v4.0/04/02/01
    • /frameworks/aws-fsbp-v1.0.0/acm/01
    • /frameworks/aws-fsbp-v1.0.0/acm/02
    • /frameworks/aws-fsbp-v1.0.0/cloudfront/03
    • /frameworks/aws-fsbp-v1.0.0/cloudfront/08
    • /frameworks/aws-fsbp-v1.0.0/cloudfront/10
    • /frameworks/aws-fsbp-v1.0.0/dms/09
    • /frameworks/aws-fsbp-v1.0.0/dms/12
    • /frameworks/aws-fsbp-v1.0.0/dynamodb/07
    • /frameworks/aws-fsbp-v1.0.0/elasticache/05
    • /frameworks/aws-fsbp-v1.0.0/elb/03
    • /frameworks/aws-fsbp-v1.0.0/elb/08
    • /frameworks/aws-fsbp-v1.0.0/es/03
    • /frameworks/aws-fsbp-v1.0.0/es/08
    • /frameworks/aws-fsbp-v1.0.0/msk/01
    • /frameworks/aws-fsbp-v1.0.0/msk/03
    • /frameworks/aws-fsbp-v1.0.0/redshift/02
    • /frameworks/aws-fsbp-v1.0.0/s3/05
    • /frameworks/aws-fsbp-v1.0.0/transfer-family/02

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period11
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits11
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudFront.3] CloudFront distributions should require encryption in transit
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DMS.9] DMS endpoints should use SSL
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DMS.12] DMS endpoints for Redis OSS should have TLS enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ElastiCache.5] ElastiCache replication groups should be encrypted in transit
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ES.3] Elasticsearch domains should encrypt data sent between nodes
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ES.8] Connections to Elasticsearch domains should be encrypted using the latest TLS security policy
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [MSK.1] MSK clusters should be encrypted in transit among broker nodes
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [MSK.3] MSK Connect connectors should be encrypted in transit
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [S3.5] S3 general purpose buckets should require requests to use SSL11
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.29

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.29

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό 4.2.1.1 An inventory of the entity's trusted keys and certificates used to protect PAN during transmission is maintained.
πŸ’Ό 4.2.1.2 Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission.

Policies (9)​

PolicyLogic CountFlags
πŸ“ AWS ACM Certificate expires in the next 7 days 🟒1🟒 x6
πŸ“ AWS ACM RSA Certificate key length is less than 2048 bits 🟒1🟒 x6
πŸ“ AWS S3 Bucket Policy is not set to deny HTTP requests 🟒1🟒 x6
πŸ“ Azure App Service FTP deployments are not disabled 🟒1🟒 x6
πŸ“ Azure App Service HTTPS Only configuration is not enabled 🟒1🟒 x6
πŸ“ Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON 🟒1🟒 x6
πŸ“ Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON 🟒1🟒 x6
πŸ“ Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled 🟒1🟒 x6
πŸ“ Azure Storage Account Secure Transfer Required is not enabled 🟒1🟒 x6