Q

Will the PCI DSS require encryption over dedicated lines?

Currently, the PCI Data Security Standard mandates the encryption of any wireless transmissions, but should security professionals be ready to encrypt transmissions over dedicated lines? In this expert Q&A, expert Mike Chapple reveals which PCI changes are most likely.

Do you think that the PCI Data Security Standard will ever mandate file-level encryption for transmissions over dedicated lines? What would the implications be, and is it something we should prepare for today?
PCI Data Security Standard 4.1.1.a:
"For wireless networks transmitting cardholder data or connected to cardholder environments, verify that appropriate encryption methodologies are used for any wireless transmissions, such as: Wi-Fi Protected Access (WPA or WPA2), IPSEC VPN, or SSL/TLS."

It's unlikely that the PCI Security Standards Council will ever require the use of encryption over dedicated lines.

The passing of unencrypted data over a closed network carries only a small risk, and there are simply much greater threats that the PCI DSS must protect against. We're far more likely to see changes similar to the stricter revisions of the PCI Data Security Standard version 1.1. For example, we might see additional requirements limiting the storage of cardholder data or requiring more stringent reviews of security controls.

The implications of such an encryption requirement would be broad and far-reaching. Consider, for example, the public switched telephone network (PSTN). As a closed, non-public system, you're not currently required to use encryption when passing cardholder information over it. If the PCI DSS required encryption over telephone lines, virtually every dial-up credit card terminal in the world would need to be replaced with a model that supports encryption. And that's just one example. So in my opinion, it's unlikely to happen, and enterprises shouldn't spend time planning for this scenario.

More information:

  • Mike Rothman explains how PCI compensating controls can make life easier for security professionals.
  • Get the latest PCI DSS news and expert advice.
  • This was first published in July 2007

    Dig deeper on Disk Encryption and File Encryption

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close