When must cardholder data be encrypted?

Cardholder data must be encrypted during transmission over open and public networks to protect it from interception by unauthorized individuals. This encryption is a critical requirement outlined in the PCI DSS framework, as open networks can expose sensitive information to potential threats. By encrypting data during transmission, organizations can ensure that even if the data is intercepted, it remains unreadable and therefore secure from misuse.

While there are also necessary requirements for data encryption at other stages, such as during storage or when transferring between specific secure locations, the most immediate and pressing need for encryption is during transmission across public channels. This is to safeguard the data from eavesdropping and potential theft during its journey across the internet or other insecure environments. In this way, encrypting cardholder data in transit is a fundamental aspect of maintaining the security and privacy of sensitive information.