PCI DSS rRequirement 4.1 states that transmission of cardholder data over a ?n open or public? network must be encryptedsecured using strong cryptography and security protocols. Examples provided in the requirement include This canLS, IPSEC, and SSH.

There may also be accomplished through protocols such as SSL or through other processes that should other protocols and processes that can meet the intent of this requirement. Whichever method is used, it must meet all applicabe rele requirements, including that only secure viewed by a Qualified Security Assessor (QSA) to ensure full effectivenessersions and configurations are supported, and that the proper encryption strength is implemented for the encryption methodology in use. The QSA would determine, among other things, that the selected solution is robust enough to withstand common attacks (per

Refer to the PCI DSS requirements)and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for additional information regarding ?strong cryptography?. For questions about whether a specific implementation is consistent with the standard or is ‘compliant’ with a requirement, please contact a Qualified Security Assessor (QSA). A list of QSAs can be found at www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf.