PCI DSS requirement 4.1 requires the use of secure sockets layer (SSL) or other strong cryptography to protect cardholder data while in transit over public networks. Specifically, the standard requires that:

”Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks.”

In this article, we take a look at what this means for you as a PCI DSS professional.  We begin with an overview of how the Secure Sockets Layer (SSL) works, define an “open, public network” and then explore what you need to do to validate your PCI DSS compliance in this area.

How SSL and TLS Work

The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are similar protocols, both designed to encrypt information in transit over the Internet.  They are extremely similar in functionality and, for the purposes of our discussion, may be considered equivalent.  You can use SSL/TLS to secure almost any type of Internet transmission, but the most common use is to encrypt web communications using the HTTPS protocol.

SSL and TLS communications begin with a handshaking process between the two communicating systems.  The system initiating the connection (in the case of the web, this is the end user) contacts the server and requests an SSL/TLS connection.  With that request, the user’s computer sends a list of encryption algorithms that it can support.  The server then analyzes that list and compares it to its own list of supported algorithms, selecting the most secure algorithm that both systems share in common.   The server then notifies the client of its selection and provides the client with a digital certificate that includes the server’s public key.

The client then verifies the validity of the server’s certificate (ensuring that the server is what it claims to be) and uses the public key contained in the certificate to encrypt a shared session key that it transmits back to the server.  Now that both systems have the same session key, they use it to encrypt all of their communications from that point forward.

What Is An Open, Public Network?

The phrase “open, public network” caused much confusion in the early days of PCI DSS.  Fortunately, the PCI council recently clarified their intent with the following statement:

“Examples of open, public networks that are in scope of the PCI DSS are the Internet, WiFi (IEEE 802.11x), global system for mobile communications (GSM) and general packet radio service (GPRS)”

The bottom line is that you must use SSL or TLS to encrypt communications containing cardholder data that take place over any network that doesn’t belong to your organization.  This includes the Internet, cell phone data networks and any other type of network outside of your control.  It also includes any wireless (WiFi) network, even if it belongs to your organization.

How Do I Implement SSL?

To implement SSL, you need to follow several steps:

  1. Obtain an SSL certificate. The cheapest way to do this is to purchase one through the Go Daddy $14.99 SSL Sale!
  2. Install the certificate on your server.  If you use a web hosting service, chances are that they’ll be able to install this certificate for you.  Otherwise, you’ll need assistance from your technical staff.
  3. Disable non-encrypted communications, if desired.  You may wish to continue to allow unencrypted web traffic (standard HTTP) on your server if you have many pages that do not process cardholder data.  If you do this, be sure that you configure the server so that pages that do process credit cards are only available over the HTTPS connection.

When choosing the version of SSL that you wish to implement, it’s critical that you not choose a version earlier than SSL v3.0. The “Navigating PCI DSS: Understanding the Intent of the Requirements” document states:

“Note that SSL versions prior to v3.0 contain documented vulnerabilities, such as buffer overflows, that an attacker can use to gain control of the affected system.”

That’s about all there is to it. SSL and TLS are basic technologies that enable you to secure cardholder data in transit over the Internet. They’re fairly straightforward to configure and their use is clearly mandated by PCI DSS.