sslpci-compliance

PCI Standards end to end encyption


In order to comply with all due diligence is required to encrypt all sensitive data when stored and transfer such as cards, address, sex, names, etc.

I know TLS 1.3 encrypts all the data. But the standard says: Encrypting all electronic transmissions of confidential and personal Information. What I understand is that the standard requires that ON CLIENT SIDE we add the extra security layer; this extra layer would be encrypting manually with RSA algorithms from client side to server and the other way around any sensitive data exchange.

You can find the official PDF with the requirements here

https://www.pcisecuritystandards.org/documents/SSF-Qualification-Requirements-for-Assessors-V1.pdf?agreement=true&time=1580914534790


Solution

  • TLS 1.3 over HTTPS considers encrypting the data when transfer. If the site is using these protocols is not necessary, at the moment, to encrypt data on client side for PCI standards because TLS already achieves it.

    More info: To encrypt on client side is not really useful and usually companies do not use it. Nevertheless there are some sites on the security area that are encrypting the data on client side before sending it. This option is to be protected against any break of the TLS and give an extra time to patch and update to the latest version without compromising any data. Nevertheless this extra step can be seen as unnecessary once using the TLS.