When a service is considered insecure but required, what should be done?

• A. Continue using the service without changes.
• B. Enable insecure service to function if needed.
• C. Implement additional security features for insecure services such as TLS, SSH, or IPSec.
• D. Replace the service with a proprietary protocol without security features.

Answer: (C)

When a required service can’t meet security needs in its current form, you don’t leave it unprotected. The right approach is to apply compensating controls that reduce risk to an acceptable level. In this scenario, that means bolstering the insecure service with strong security measures for data in transit, such as adding encryption and secure channels. Using TLS to encrypt traffic, SSH for secure remote access, or IPSec to protect network communication helps ensure confidentiality, integrity, and authentication even though the service itself is inherently insecure. It’s important that these compensating controls are well-documented, tested, and maintained according to PCI DSS requirements.

Leaving the service unprotected or enabling it as-is would expose cardholder data, which PCI DSS prohibits. Replacing it with a protocol that has no security features also fails to meet the standard, since data would remain unprotected in transit.