Skip to main content

💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.

Description

As following:

  • Only trusted keys and certificates are accepted.
  • Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details.
  • The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
  • The encryption strength is appropriate for the encryption methodology in use.

Similar

  • Sections
    • /frameworks/pci-dss-v3.2.1/04/01
    • /frameworks/pci-dss-v4.0.1/04/02/01
  • Internal
    • ID: dec-c-a0286654

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlags
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.1821
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.221

Similar Sections (Give Policies To)

SectionSub SectionsInternal RulesPoliciesFlags
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.1821
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.221

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlags
💼 4.2.1.1 An inventory of the entity's trusted keys and certificates used to protect PAN during transmission is maintained.
💼 4.2.1.2 Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission.1

Policies (21)

PolicyLogic CountFlags
📝 AWS ACM Certificate expires in the next 7 days 🟢1🟢 x6
📝 AWS ACM RSA Certificate key length is less than 2048 bits 🟢1🟢 x6
📝 AWS CloudFront Web Distribution Cache Behaviors allow unencrypted traffic 🟢1🟢 x6
📝 AWS CloudFront Web Distribution uses Dedicated IP for SSL 🟢1🟢 x6
📝 AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Origins 🟢1🟢 x6
📝 AWS DMS Endpoint doesn't use SSL 🟢1🟢 x6
📝 AWS IAM Server Certificate is expired 🟢1🟢 x6
📝 AWS KMS Symmetric CMK Rotation is not enabled 🟢1🟢 x6
📝 AWS S3 Bucket Policy is not set to deny HTTP requests 🟢1🟢 x6
📝 Azure App Service FTP deployments are not disabled 🟢1🟢 x6
📝 Azure App Service HTTPS Only configuration is not enabled 🟢1🟢 x6
📝 Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key 🟢1🟢 x6
📝 Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON 🟢1🟢 x6
📝 Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON 🟢1🟢 x6
📝 Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled 🟢1🟢 x6
📝 Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled 🟢1🟢 x6
📝 Azure Storage Account Secure Transfer Required is not enabled 🟢1🟢 x6
📝 Azure Unattached Managed Disk is not encrypted with Customer-managed key 🟢1🟢 x6
📝 Azure Virtual Machine OS and Data disks are not encrypted with Customer-managed key 🟢1🟢 x6
📝 Google GCE Instance Block Project-Wide SSH Keys is not enabled 🟢1🟢 x6
📝 Google HTTPS or SSL Proxy Load Balancer permits SSL policies with weak cipher suites 🟢🟢 x3

Internal Rules

RulePoliciesFlags
✉️ dec-x-4d6fee7a1
✉️ dec-x-5c3c20671
✉️ dec-x-6ed261671
✉️ dec-x-9cdb74071
✉️ dec-x-12a853391
✉️ dec-x-75db76ad1
✉️ dec-x-4002ecfe1
✉️ dec-x-a4e033891
✉️ dec-x-f63fd4f01