Use strong cryptography to protect data in transit
Description
Strong cryptography must be used whenever cardholder data is transmitted over open networks.
⚠️ Risk Impact
Unencrypted cardholder data in transit can be captured via network sniffing.
🔧 Remediation
Enforce TLS 1.2+ with strong cipher suites.
💀 Real-World Attack Scenario
A payment gateway transmitted cardholder data over TLS 1.0 with weak cipher suites. An attacker performed a POODLE downgrade attack to intercept encrypted card data, successfully decrypting 45,000 card transactions over a 2-week period before the weak cipher was detected.
💰 Cost of Non-Compliance
PCI DSS 4.0 mandates TLS 1.2+ (TLS 1.0/1.1 explicitly prohibited). Non-compliance: $5K-$100K/month in fines. Weak cryptography breaches carry full fraud liability for the merchant.
📋 Audit Questions
- 1.What TLS versions are supported on payment endpoints?
- 2.Which cipher suites are accepted?
- 3.Are TLS 1.0 and 1.1 explicitly disabled?
- 4.Do you perform regular TLS configuration testing?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Supporting TLS 1.0/1.1 for backward compatibility with old clients
- ⛔Using weak cipher suites (RC4, DES, 3DES)
- ⛔Not testing for SSL/TLS vulnerabilities regularly (POODLE, BEAST, etc.)
📈 Business Value
Strong TLS enforcement protects cardholder data in transit and eliminates downgrade attacks. It's a zero-cost control that prevents entire classes of cryptographic attacks.
⏱️ Effort Estimate
2-4 hours to audit and update TLS configurations
EchelonGraph monitors TLS configurations across all endpoints
🔗 Cross-Framework References
Automate PCI DSS 4.1 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →