Payment data is never more vulnerable than when it moves, and in 2026 the rules tightened in a way many organizations have not yet operationalized. PCI DSS 4.0.1, Requirement 4.2.1, now applies to all networks where the primary account number travels — not just public ones. Internal, service-to-service API calls carrying payment data must now be encrypted. "It's fine, it's on our internal network" is no longer defensible.
The standard we hold
The baseline is non-negotiable: TLS 1.2 or higher, with TLS 1.3 our default — faster, stripped of the weak cipher suites that lingered in 1.2, and cleaner to defend in an assessment. Approved ciphers only: AES-GCM, ChaCha20-Poly1305; never RC4 or 3DES. We go beyond the edge with mutual TLS between internal services, so workloads authenticate one another — satisfying the "all networks" mandate and aligning the estate with zero-trust. The cryptography itself is governed: maintained inventory of trusted keys and certificates, documented cipher policy, automated rotation, and centralized evidence collection — so the mandatory annual review is a report you run, not a scramble you survive.
Proven in delivery
Aydahwa's principal led the secure-infrastructure function for a GCC commercial bank operating under PCI-DSS, ISO 27001 and central-bank oversight — administering a 50+ server high-availability estate hardened to PCI-DSS, CIS Benchmarks and STIG across core banking, payments and Internet Banking. We implemented encryption across the core banking stack — database, application and payment systems — and migrated the Internet Banking platform to a clustered Solaris 11.3 architecture, materially reducing the audit and breach-impact surface. We engaged regulators and internal audit directly, documenting evidence and driving remediation of control gaps.
This is the difference between buying a configuration and engaging an engineering partner. When your assessor asks how payment data is protected in transit, the answer should be effortless. We make it so.
Reference reading
- Schellman — "TLS 1.3 Encryption and PCI DSS Compliance"
- AppViewX — "Decoding the PCI DSS v4.0 Cryptographic Requirements"
- Thoropass — "PCI DSS encryption requirements: Version 4.0.1"