SSL/TLS usage is specifically tied to which PCI DSS requirements?

• A. 2.2.3, 2.3, & 4.1
• B. 2.2, 2.3, and 4.0
• C. 3.2, 4.1, and 5.0
• D. 2.2.3, 2.3, and 4.0

Answer: (A)

SSL/TLS usage is about protecting cardholder data while it’s being transmitted over a network. In PCI DSS, the explicit mandate for encrypting data in transit with strong cryptography is captured in a single requirement that calls for using strong cryptography and security protocols to safeguard cardholder data during transmission over open, public networks. That makes TLS/SSL the expected mechanism to meet this requirement. The other controls in the options relate to secure configuration and access management, which support overall security but do not specify encryption for data in transit. Therefore, the pairing that includes the in-transit encryption requirement with the appropriate PCI DSS clause is the one that points to that transmission-protection rule, commonly stated as 4.1.