PCI DSS 4.2.1: Encrypt Cardholder Data During Transmission
Payment card number (PAN) data requires encryption whenever it crosses open networks. PCI DSS 4.2.1 mandates strong cryptography to prevent interception and unauthorized access during transmission. This control is critical for any organization handling card data across internet-connected systems.
What this means
Control 4.2.1 requires organizations to use strong cryptographic protocols (such as TLS 1.2 or higher) to protect PAN and other sensitive authentication data when transmitted over public or untrusted networks. This applies to all cardholder data environments and prevents attackers from capturing unencrypted payment information in transit.
How to comply
- 1.Identify all network paths where PAN is transmitted, including external communications and internal network segments connected to untrusted networks
- 2.Implement TLS 1.2 or higher for all PAN transmissions over public networks; document minimum acceptable encryption standards
- 3.Configure network devices and applications to enforce encryption at both the protocol level (HTTPS, SFTP) and application level where needed
- 4.Disable weak or deprecated cryptographic protocols (SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1) across all systems handling cardholder data
- 5.Maintain an inventory of encryption certificates and establish processes for regular certificate renewal before expiration
- 6.Test cryptographic implementations annually and whenever network infrastructure changes using vulnerability scanning and penetration testing
Evidence auditors look for
- Network traffic captures showing TLS 1.2+ encryption on all PAN transmission channels
- SSL/TLS certificate inventory with current validity dates and renewal schedules
- Configuration documentation for firewalls, load balancers, and application servers enforcing strong cipher suites
- Disabled protocol logs and screenshots showing SSL/early TLS versions are not active
- Annual penetration test reports confirming no unencrypted PAN transmission vulnerabilities
- Change logs documenting protocol upgrades and deprecated encryption removal
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch maps all PAN transmission points in your network and monitors TLS version enforcement, cipher suite configuration, and certificate expiration across your infrastructure—alerting you to weak cryptography before your next audit.
See how GRCWatch handles this control automatically
Start free trial