According to PCI DSS version 4.0, what must an organization do to protect cardholder data whenever that data is transmitted across open, public networks such as the Internet, wireless, or cellular links?
Compress the data before sending it to reduce exposure time.
Mask the primary account number by replacing the middle six digits with asterisks but leave the remainder unencrypted.
Encrypt the data using strong cryptography and secure protocols (e.g., TLS 1.2 or higher) for the entire session.
Transmit the data in clear text if it stays within a private VLAN.
PCI DSS Requirement 4 states that cardholder data must be protected with strong cryptography during transmission over any open, public network. Implementing secure protocols such as TLS 1.2 or higher (or other PCI-approved encryption methods) satisfies this control. Compressing data, sending it in clear text within a private VLAN, or merely masking some digits of the PAN do not meet the requirement because none of those tactics provide the mandatory strong encryption of the entire data stream.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does PCI DSS stand for?
Open an interactive chat with Bash
What encryption technologies are commonly used under PCI DSS?
Open an interactive chat with Bash
What are the consequences of not encrypting cardholder data?