Professional Documents
Culture Documents
PCI DSS v3 - 2 - 1 ROC S6 R4 Encrypt Transmission of Cardholder Data
PCI DSS v3 - 2 - 1 ROC S6 R4 Encrypt Transmission of Cardholder Data
PCI DSS Template for Report on Compliance, Appendix D: Segmentation and Sampling of Business Facilities/System Components June 2018
© 2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 1
Summary of Assessment Findings
(check one)
PCI DSS Requirements Reporting Details:
In In Place Not Not in
and Testing Procedures Reporting Instruction Assessor’s Response Place w/CCW N/A Tested Place
4.1.c Select and observe a sample of Describe the sample of inbound and outbound
inbound and outbound transmissions as transmissions that were observed as they occurred.
they occur (for example, by observing
Describe how the sample of inbound and outbound
system processes or network traffic) to
transmissions verified that all cardholder data is
verify that all cardholder data is encrypted
encrypted with strong cryptography during transit.
with strong cryptography during transit.
4.1.d Examine keys and certificates to For all instances where cardholder data is transmitted or received over open, public networks:
verify that only trusted keys and/or
certificates are accepted. Describe the mechanisms used to ensure that only
trusted keys and/or certificates are accepted.
Describe how the mechanisms were observed to
accept only trusted keys and/or certificates.
4.1.e Examine system configurations to For all instances where cardholder data Is transmitted or received over open, public networks, describe how system configurations
verify that the protocol is implemented to verified that the protocol:
use only secure configurations and does
not support insecure versions or Is implemented to use only secure configurations.
configurations.
Does not support insecure versions or
configurations.
4.1.f Examine system configurations to For each encryption methodology in use,
verify that the proper encryption strength
is implemented for the encryption Identify vendor recommendations/best practices for Not Mentioned
methodology in use. (Check vendor encryption strength.
recommendations/best practices.) Identify the encryption strength observed to be
implemented.
4.1.g For TLS implementations, examine Indicate whether TLS is implemented to encrypt
system configurations to verify that TLS is cardholder data over open, public networks. (yes/no)
enabled whenever cardholder data is If ‘no,’ mark the remainder of 4.1.g as ‘not
transmitted or received. applicable.’
For example, for browser-based If “yes,” for all instances where TLS is used to
implementations: encrypt cardholder data over open, public networks,
“HTTPS” appears as the browser describe how system configurations verified that
Universal Record Locator (URL) TLS is enabled whenever cardholder data is
protocol; and transmitted or received.
Cardholder data is only requested if
“HTTPS” appears as part of the URL.
PCI DSS Template for Report on Compliance, Appendix D: Segmentation and Sampling of Business Facilities/System Components June 2018
© 2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 2
Summary of Assessment Findings
(check one)
PCI DSS Requirements Reporting Details:
In In Place Not Not in
and Testing Procedures Reporting Instruction Assessor’s Response Place w/CCW N/A Tested Place
4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best
practices to implement strong encryption for authentication and transmission. ☐ ☐ ☐ ☐ ☐
4.1.1 Identify all wireless networks Identify all wireless networks transmitting cardholder
transmitting cardholder data or connected data or connected to the cardholder data
to the cardholder data environment. environment.
Examine documented standards and
Identify the documented standards examined. Not Mentioned
compare to system configuration settings
to verify the following for all wireless
Describe how the documented standards and system configuration settings both verified the following for all wireless networks
networks identified:
identified:
Industry best practices are used to
implement strong encryption for Industry best practices are used to implement
authentication and transmission. strong encryption for authentication and
Weak encryption (for example, WEP, transmission.
SSL) is not used as a security control for Weak encryption is not used as a security control
authentication or transmission. for authentication or transmission.
4.2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.). ☐ ☐ ☐ ☐ ☐
4.2.a If end-user messaging technologies Indicate whether end-user messaging technologies
are used to send cardholder data, observe are used to send cardholder data. (yes/no)
processes for sending PAN and examine
a sample of outbound transmissions as If “no,” mark the remainder of 4.2.a as “Not Applicable” and proceed to 4.2.b.
they occur to verify that PAN is rendered If “yes,” complete the following:
unreadable or secured with strong
cryptography whenever it is sent via end- Describe how processes for sending PAN were
user messaging technologies. observed to verify that PAN is rendered unreadable
or secured with strong cryptography whenever it is
sent via end-user messaging technologies.
Describe the sample of outbound transmissions that
were observed as they occurred.
Describe how the sample of outbound transmissions
verified that PAN is rendered unreadable or secured
with strong cryptography whenever it is sent via end-
user messaging technologies.
PCI DSS Template for Report on Compliance, Appendix D: Segmentation and Sampling of Business Facilities/System Components June 2018
© 2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 3
Summary of Assessment Findings
(check one)
PCI DSS Requirements Reporting Details:
In In Place Not Not in
and Testing Procedures Reporting Instruction Assessor’s Response Place w/CCW N/A Tested Place
4.2.b Review written policies to verify the Identify the policy document that prohibits PAN Not Mentioned
existence of a policy stating that from being sent via end-user messaging technologies
unprotected PANs are not to be sent via
under any circumstances.
end-user messaging technologies.
4.3 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in
use, and known to all affected parties. ☐ ☐ ☐ ☐ ☐
4.3 Examine documentation and interview Identify the document reviewed to verify that
personnel to verify that security policies security policies and operational procedures for
and operational procedures for encrypting encrypting transmissions of cardholder data are
transmissions of cardholder data are: documented.
Documented, Identify the responsible personnel interviewed who
In use, and confirm that the above documented security policies
and operational procedures for encrypting
Known to all affected parties.
transmissions of cardholder data are:
In use
Known to all affected parties
PCI DSS Template for Report on Compliance, Appendix D: Segmentation and Sampling of Business Facilities/System Components June 2018
© 2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 4