Hi,

I just want to ask, what are the requirements for us to be compliant with PCI if we are just transmitting cardholder data. Currently, we have documents that came from their website which is the Payment Card Industry (PCI) Data Security Standard Version 1.1 release last September 2006.

Any feedback is highly appreciated. Thanks in advance.

Ron Duag

Requirement 4 of the PCI DSS addresses this topic very well. For the transmission of cardholder information, organizations are required to use encryption with strong keys and appropriate key management.

So, if you are using SSL, TLS to encrypt your communications, you will be fine as long as the SSL/TLS has a strong key and appropriate key management.

If you are using a VPN, make sure that the tunnel is encrypted with strong keys and appropriate key management.

If you are sending data via email, any data should be in an encrypted file attachment or the message itself is encrypted ala PGP or similar solution. Again, strong keys must be generated and appropriate key management processes should be implemented.