Skip to main content

πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.

Description​

As following:

  • Only trusted keys and certificates are accepted.
  • Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details.
  • The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
  • The encryption strength is appropriate for the encryption methodology in use.

Similar​

  • Sections
    • /frameworks/pci-dss-v3.2.1/04/01
    • /frameworks/pci-dss-v4.0.1/04/02/01
  • Internal
    • ID: dec-c-a0286654

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.1821
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.221

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.1821
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.221

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό 4.2.1.1 An inventory of the entity's trusted keys and certificates used to protect PAN during transmission is maintained.
πŸ’Ό 4.2.1.2 Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission.1

Policies (21)​

PolicyLogic CountFlags
πŸ“ AWS ACM Certificate expires in the next 7 days 🟒1🟒 x6
πŸ“ AWS ACM RSA Certificate key length is less than 2048 bits 🟒1🟒 x6
πŸ“ AWS CloudFront Web Distribution Cache Behaviors allow unencrypted traffic 🟒1🟒 x6
πŸ“ AWS CloudFront Web Distribution uses Dedicated IP for SSL 🟒1🟒 x6
πŸ“ AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Origins 🟒1🟒 x6
πŸ“ AWS DMS Endpoint doesn't use SSL 🟒1🟒 x6
πŸ“ AWS IAM Server Certificate is expired 🟒1🟒 x6
πŸ“ AWS KMS Symmetric CMK Rotation is not enabled 🟒1🟒 x6
πŸ“ AWS S3 Bucket Policy is not set to deny HTTP requests 🟒1🟒 x6
πŸ“ Azure App Service FTP deployments are not disabled 🟒1🟒 x6
πŸ“ Azure App Service HTTPS Only configuration is not enabled 🟒1🟒 x6
πŸ“ Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key 🟒1🟒 x6
πŸ“ Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON 🟒1🟒 x6
πŸ“ Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON 🟒1🟒 x6
πŸ“ Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled 🟒1🟒 x6
πŸ“ Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled 🟒1🟒 x6
πŸ“ Azure Storage Account Secure Transfer Required is not enabled 🟒1🟒 x6
πŸ“ Azure Unattached Managed Disk is not encrypted with Customer-managed key 🟒1🟒 x6
πŸ“ Azure Virtual Machine OS and Data disks are not encrypted with Customer-managed key 🟒1🟒 x6
πŸ“ Google GCE Instance Block Project-Wide SSH Keys is not enabled 🟒1🟒 x6
πŸ“ Google HTTPS or SSL Proxy Load Balancer permits SSL policies with weak cipher suites 🟒🟒 x3

Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-4d6fee7a1
βœ‰οΈ dec-x-5c3c20671
βœ‰οΈ dec-x-6ed261671
βœ‰οΈ dec-x-9cdb74071
βœ‰οΈ dec-x-12a853391
βœ‰οΈ dec-x-75db76ad1
βœ‰οΈ dec-x-4002ecfe1
βœ‰οΈ dec-x-a4e033891
βœ‰οΈ dec-x-f63fd4f01