According to PCI DSS version 4.0, what must an organization do to protect cardholder data whenever that data is transmitted across open, public networks such as the Internet, wireless, or cellular links?
Compress the data before sending it to reduce exposure time.
Transmit the data in clear text if it stays within a private VLAN.
Encrypt the data using strong cryptography and secure protocols (e.g., TLS 1.2 or higher) for the entire session.
Mask the primary account number by replacing the middle six digits with asterisks but leave the remainder unencrypted.
PCI DSS Requirement 4 states that cardholder data must be protected with strong cryptography during transmission over any open, public network. Implementing secure protocols such as TLS 1.2 or higher (or other PCI-approved encryption methods) satisfies this control. Compressing data, sending it in clear text within a private VLAN, or merely masking some digits of the PAN do not meet the requirement because none of those tactics provide the mandatory strong encryption of the entire data stream.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is PCI DSS and why is it important?
Open an interactive chat with Bash
What is TLS and how does it provide strong cryptography?
Open an interactive chat with Bash
Why is encrypting data across public networks required under PCI DSS?