From the PCI DSS:
Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit.
PCI DSS Requirement |
How Requirement is Addressed with EFT Server |
4.1 - 4.1.1 Use strong cryptographic ciphers for transport protocols |
EFT Server provides secure protocols such as secure sockets layer (SSL), transport layer security (TLS), and SFTP (SSH2) for data transmission. For HS-PCI-enabled sites, EFT Server PCI DSS HS limits SSL versions to v3 or higher, and ciphers to minimum of 128 bits. EFT Server can also force secure data transmission by automatically redirecting incoming HTTP traffic to HTTPS. |
4.2 Never send unencrypted PANs (Primary Account Number - A unique sequence of numbers assigned to a cardholder account that identifies the issuer and type of financial transaction card) by e-mail. |
It is up to the administrator to ensure that PAN data is not included in user-generated e-mails sent by EFT Server. EFT Server system-generated messages have no way of including PAN data in the body of the e-mail message. |