Is it permissible to use self-decrypting files for encryption to send cardholder data?
PCI DSS requirement 4.1 states that transmission of cardholder data over a ?public? network must be encrypted. This can be accomplished through protocols such as SSL or through other processes that should be reviewed by a Qualified Security Assessor (QSA) to ensure full effectiveness. The QSA would determine, among other things, that the selected solution is robust enough to withstand common attacks (per PCI DSS requirements). For questions about whether a specific implementation is consistent with the standard or is ‘compliant’ with a requirement, please contact a Qualified Security Assessor (QSA). A list of QSAs can be found at www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf.