💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.

• Contextual name: 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.

• ID: /frameworks/pci-dss-v4.0.1/04/02/01

• Located in: 💼 4.2 PAN is protected with strong cryptography during transmission.

Description

As following:

• Only trusted keys and certificates are accepted.
• Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details.
• The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
• The encryption strength is appropriate for the encryption methodology in use.

Similar

• Sections
  • /frameworks/pci-dss-v4.0/04/02/01
  • /frameworks/aws-fsbp-v1.0.0/acm/01
  • /frameworks/aws-fsbp-v1.0.0/acm/02
  • /frameworks/aws-fsbp-v1.0.0/cloudfront/03
  • /frameworks/aws-fsbp-v1.0.0/cloudfront/08
  • /frameworks/aws-fsbp-v1.0.0/cloudfront/10
  • /frameworks/aws-fsbp-v1.0.0/dms/09
  • /frameworks/aws-fsbp-v1.0.0/dms/12
  • /frameworks/aws-fsbp-v1.0.0/dynamodb/07
  • /frameworks/aws-fsbp-v1.0.0/elasticache/05
  • /frameworks/aws-fsbp-v1.0.0/elb/03
  • /frameworks/aws-fsbp-v1.0.0/elb/08
  • /frameworks/aws-fsbp-v1.0.0/es/03
  • /frameworks/aws-fsbp-v1.0.0/es/08
  • /frameworks/aws-fsbp-v1.0.0/msk/01
  • /frameworks/aws-fsbp-v1.0.0/msk/03
  • /frameworks/aws-fsbp-v1.0.0/redshift/02
  • /frameworks/aws-fsbp-v1.0.0/s3/05
  • /frameworks/aws-fsbp-v1.0.0/transfer-family/02

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period		1	1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits		1	1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudFront.3] CloudFront distributions should require encryption in transit		1	1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests		1	1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins		1	1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.9] DMS endpoints should use SSL		1	1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.12] DMS endpoints for Redis OSS should have TLS enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ElastiCache.5] ElastiCache replication groups should be encrypted in transit
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ES.3] Elasticsearch domains should encrypt data sent between nodes
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ES.8] Connections to Elasticsearch domains should be encrypted using the latest TLS security policy
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [MSK.1] MSK clusters should be encrypted in transit among broker nodes
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [MSK.3] MSK Connect connectors should be encrypted in transit
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.5] S3 general purpose buckets should require requests to use SSL		1	1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2	9	21

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2	9	21

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 4.2.1.1 An inventory of the entity's trusted keys and certificates used to protect PAN during transmission is maintained.
💼 4.2.1.2 Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission.			1

Policies (21)

Policy	Logic Count	Flags
📝 AWS ACM Certificate expires in the next 7 days 🟢	1	🟢 x6
📝 AWS ACM RSA Certificate key length is less than 2048 bits 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution Cache Behaviors allow unencrypted traffic 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution uses Dedicated IP for SSL 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Origins 🟢	1	🟢 x6
📝 AWS DMS Endpoint doesn't use SSL 🟢	1	🟢 x6
📝 AWS IAM Server Certificate is expired 🟢	1	🟢 x6
📝 AWS KMS Symmetric CMK Rotation is not enabled 🟢	1	🟢 x6
📝 AWS S3 Bucket Policy is not set to deny HTTP requests 🟢	1	🟢 x6
📝 Azure App Service FTP deployments are not disabled 🟢	1	🟢 x6
📝 Azure App Service HTTPS Only configuration is not enabled 🟢	1	🟢 x6
📝 Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key 🟢	1	🟢 x6
📝 Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON 🟢	1	🟢 x6
📝 Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON 🟢	1	🟢 x6
📝 Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled 🟢	1	🟢 x6
📝 Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled 🟢	1	🟢 x6
📝 Azure Storage Account Secure Transfer Required is not enabled 🟢	1	🟢 x6
📝 Azure Unattached Managed Disk is not encrypted with Customer-managed key 🟢	1	🟢 x6
📝 Azure Virtual Machine OS and Data disks are not encrypted with Customer-managed key 🟢	1	🟢 x6
📝 Google GCE Instance Block Project-Wide SSH Keys is not enabled 🟢	1	🟢 x6
📝 Google HTTPS or SSL Proxy Load Balancer permits SSL policies with weak cipher suites 🟢		🟢 x3