Requirement 4: Encrypt transmission of cardholder data across open, public networks

Any time that cardholder data is sent wirelessly, over the internet, or across any network that is not private, strong encryption must be used to protect the cardholder data. Deprecated and outdated encryption technologies such as SSL Versions 2-3, TLS version 1.0 and WEP are no longer sufficient to protect cardholder data. Wireless networks should use at least WPA with strong passphrases, and web traffic should be protected with TLS 1.1 or later. In addition to HTTPS, VPN connections and IPSec tunnels using strong encryption protocols can be leveraged to meet this requirement.

Default digital certificates provided my manufacturers must be replaced with trusted certificates. Only digital certificates issued by trusted certificate authorities should be relied on for authentication.

Unprotected cardholder data must never be sent over e-mail, instant messaging, text, or any other user messaging technology.

Go on to Requirement 5 - Malware.

Go back to Requirement 3 - Data Storage.