To safeguard sensitive cardholder data during transmission over open networks, which of the following best describes the required control?

• A. Do not use any wireless networks for cardholder data.
• B. WEP is prohibited; use IEEE 802.11i for strong encryption.
• C. WEP is acceptable if the password is strong.
• D. Use the strongest available encryption, regardless of protocol.

Answer: (D)

Protecting cardholder data in transit relies on strong cryptography applied through secure protocols. PCI DSS requires that any transmission of cardholder data over open networks be protected with strong cryptography and approved security protocols. The best way to describe the required control is to use the strongest available encryption, and apply it via robust protocols (such as TLS or IPsec) so the data remains unreadable to anyone intercepting the transmission. This emphasis on strength and using proven, current protocols is why the option stating to use the strongest available encryption, regardless of protocol, is the correct choice. In practice, this means avoiding deprecated or weak options like WEP and choosing modern, strong encryption with appropriate protocols. The other statements are too restrictive or incorrect: PCI does not mandate avoiding wireless networks entirely, WEP is not acceptable, and WEP with a strong password is still not acceptable.