PCI settlements & finite-state machine


PCI DSS interpretation gap

PCI Sensitive Authentication Data (SAD) in clear-text over public networks

Use-case

A cardholder is being sent a SMS (text message) to their registered mobile number, with PIN (for physical only) or card security code (CVC2/CVV2), as a reminder in case these details are forgotten – card is issued as "virtual/plastic card”

Question

Which requirement of PCI DSS 3.2 prevents sending an element of SAD (PIN, CVC2, CVV2) in clear-text over public network if card number is not being transmitted as part of the same message?

Reference

Requirement 4: Encrypt transmission of cardholder data across open, public networks: Sensitive information must be encrypted during transmission over networks …

Requirement 4.1: “Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, …”

Cardholder Data in Glossary: At a minimum, cardholder data consists of the full PAN…

Sensitive Authentication Data in Glossary: Security-related information (including but not limited to card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip), PINs, and PIN blocks)…

Conclusion

PCI DSS is very prescriptive about transmitting of card numbers over public networks, but does not address “sensitive authentication data” in the same manner, so either:

PCI DSS 3.2 does not prohibit to transmit an element of SAD (PIN/CVC2/CVV2) in clear-text if PAN is not present in the message (e.g. PIN reminder sent in clear-text over http) - which may seem strange considering strict requirements of “no storage of SAD after authorisation”, in conjunction with transmitting of SAD in clear-text

PCI DSS 3.2 starts req. 4 with “sensitive information”, and req. 4.1 refers to “sensitive cardholder data” but neither is strictly defined within the standard, and glossary contains only the terms of “cardholder data” and SAD - “sensitive cardholder data” is referenced on PCI DSS website: (…everything at the end of red arrow…): https://www.pcisecuritystandards.org/pci_security/why_security_matters

Solution

PCI DSS with next version, could be more rigorous in defining what kinds of data fall under the scope the of req. 4.1, and what the term “sensitive cardholder data” consists of in details? Currently one may conclude that if the transmission of PIN, CVC2/CVV2 over public network does not contain full card number it can be sent in clear-text…(If however that is the intention of the Council it would be good to clarify the interpretation)