I still remember the look on the merchant's face when I showed him the packet capture. We were sitting in his office—a thriving e-commerce business doing about $12 million annually—and on my laptop screen, I could see his customers' credit card numbers flowing across his network in plain text. Crystal clear. Completely unencrypted.
"That can't be right," he said, leaning closer to the screen. "We use HTTPS on our website."
"You do," I replied, pulling up another capture. "But look at what happens between your web server and your payment gateway. See this? That's a Primary Account Number. And that one. And that one."
His face went pale. "How long has this been happening?"
"Since you launched. Four years ago."
That conversation happened in 2017, and it led to one of the most intensive remediation projects of my career. But more importantly, it taught me something I've carried ever since: when it comes to payment card data, assumptions kill businesses.
Why Requirement 4 Exists (And Why It Matters More Than Ever)
After fifteen years of conducting PCI DSS assessments, I can tell you that Requirement 4 violations are among the most common—and most dangerous—compliance failures I encounter. The requirement seems straightforward: "Encrypt transmission of cardholder data across open, public networks."
But here's what keeps me up at night: I've investigated breaches where encrypted e-commerce websites were transmitting card data in cleartext internally, between data centers, or to third-party processors.
The attackers weren't breaking into the front door. They were sitting on the network, watching unencrypted data flow by like fish in a stream.
"Encryption in transit isn't about protecting data from hypothetical threats. It's about ensuring that when—not if—someone gains access to your network, they can't read what they're seeing."
Let me share the real cost of getting this wrong.
The $3.2 Million Lesson: A Case Study in Failed Encryption
In 2019, I was called in as an expert witness for a breach investigation. A regional payment processor had suffered a compromise that exposed roughly 2.1 million card numbers over an 18-month period.
The attack vector? An intern's laptop got compromised through a phishing email. The malware gave attackers a foothold on the corporate network. From there, they moved laterally until they found what they were looking for: a connection between the web-facing servers and the internal payment processing systems.
That connection? Completely unencrypted. Raw card data flowing over their internal network, visible to anyone with network access.
The final damage:
$3.2 million in direct breach costs
$8.7 million in card reissuance fees
$1.4 million in regulatory fines
Loss of payment processor status
Bankruptcy filed 14 months later
The encryption solution they should have implemented? About $45,000 initially, plus $12,000 annually for maintenance.
That's a 71,000% return on investment—if you measure ROI by "staying in business."
Understanding PCI DSS Requirement 4: The Complete Breakdown
Let me walk you through what Requirement 4 actually demands, based on version 4.0 of the standard (released March 2022, with some requirements becoming mandatory in March 2025).
The Core Mandate
PCI DSS Requirement 4 has one primary objective: Protect cardholder data with strong cryptography during transmission over open, public networks.
Sounds simple, right? But the devil lives in the details—and in those details, I've seen countless organizations trip up.
Here's the complete structure:
Requirement | Description | Common Pitfalls I've Seen |
|---|---|---|
4.1 | Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and understood | Organizations assume this applies only to internet-facing systems, missing internal unencrypted transmissions |
4.2 | PAN is protected with strong cryptography whenever it is transmitted over open, public networks | Teams focus on HTTPS but forget about email, FTP, and internal network segments |
4.2.1 | An inventory of trusted keys and certificates is maintained | I've found organizations with 200+ certificates and no idea which ones are actually in use |
4.2.1.1 | Certificates have a maximum validity period of 397 days (new in v4.0) | Many organizations still issuing 2-year certificates without realizing the requirement changed |
4.2.1.2 | Certificates are issued by a trusted CA | Self-signed certificates still in production environments—a QSA's nightmare |
4.2.2 | Wireless networks transmitting PAN are encrypted using strong cryptography | Guest WiFi connected to cardholder data environments—I see this monthly |
What Counts as an "Open, Public Network"?
This is where I see organizations get confused. Let me clarify based on my assessment experience:
Definitely Open, Public Networks:
The Internet
Wireless technologies (WiFi, cellular, satellite)
GPRS, Bluetooth
Public WiFi networks
Untrusted network segments
Also Considered Open, Public Networks (This Surprises People):
Multi-tenant data center networks
Cloud provider networks (even "private" clouds)
Network segments accessible by multiple organizations
Any network where you don't control all components
Generally NOT Considered Open, Public Networks:
Fully internal corporate networks where you control all components
Direct fiber connections between your owned facilities
Isolated network segments with no external connectivity
But here's my rule of thumb after 15 years: When in doubt, encrypt it. The performance overhead is negligible in modern systems, and the peace of mind is worth it.
The Technology Stack: What Actually Works
Let me get practical. Here's what I recommend to clients based on different scenarios:
Web Application Traffic
Technology | Minimum Version | Why It Matters | Implementation Difficulty |
|---|---|---|---|
TLS | 1.2 (minimum), 1.3 (recommended) | TLS 1.0/1.1 have known vulnerabilities | Easy - Most platforms support |
Cipher Suites | Strong encryption only (AES-256, ChaCha20) | Weak ciphers can be broken with modern computing | Medium - Requires configuration |
Certificate Key Length | 2048-bit RSA minimum, 256-bit ECC preferred | Shorter keys are vulnerable to brute force | Easy - Standard in modern CAs |
Perfect Forward Secrecy | Required (ECDHE, DHE) | Protects past sessions if private key compromised | Medium - Must configure properly |
Real-World Example: E-commerce Implementation
Last year, I worked with an online retailer processing about $45 million annually. They thought they were compliant because their checkout page used HTTPS. When I assessed them, here's what I found:
Their Setup:
Website: TLS 1.2 ✓
Payment gateway API: TLS 1.2 ✓
Internal logging system: Unencrypted HTTP ✗
Database backups to S3: Unencrypted ✗
Email receipts with last 4 digits: Unencrypted SMTP ✗
We spent three weeks fixing gaps they didn't know existed. The cost? About $28,000. The alternative? Potential non-compliance fines starting at $5,000 per month, plus breach liability.
Point-to-Point Encryption (P2PE)
This is where I get excited. P2PE is one of the best technologies to emerge in payment security in the past decade.
How P2PE Works:
Card data is encrypted at the point of interaction (card reader)
Data remains encrypted through your entire environment
Only the payment processor can decrypt the data
Your systems never see cleartext card data
I implemented P2PE for a restaurant chain with 47 locations in 2021. The benefits were immediate:
Metric | Before P2PE | After P2PE | Improvement |
|---|---|---|---|
PCI DSS Scope | 47 locations, full SAQ D | 47 locations, SAQ P2PE | 85% reduction in scope |
Compliance Cost | $134,000 annually | $31,000 annually | 77% reduction |
Audit Time | 6 weeks | 1.5 weeks | 75% reduction |
Internal Resources | 2 FTEs | 0.3 FTE | 85% reduction |
"Point-to-Point Encryption isn't just a security control—it's a business transformation. It removes the target from your back while slashing compliance costs."
Email and File Transfer
This is where I see the most violations. Organizations encrypt their websites perfectly, then email reports with card data or transfer files via FTP.
Compliant Options I Recommend:
Method | Use Case | Security Level | Implementation Cost |
|---|---|---|---|
SFTP | Automated file transfers | High | Low ($0-$500) |
S/MIME | Email encryption | High | Medium ($1,000-$5,000) |
PGP/GPG | File encryption | Very High | Low ($0-$2,000) |
Secure File Transfer Portals | Ad-hoc file sharing | High | Medium ($3,000-$15,000/year) |
VPN with TLS 1.2+ | Network-level encryption | High | Low ($500-$5,000) |
A Cautionary Tale: The Email Encryption Gap
I once audited a payment processor that had invested heavily in network security. Firewalls, intrusion detection, the works. They passed every technical test with flying colors.
Then I asked to see their reconciliation process. Every day at 5 PM, they emailed a CSV file containing that day's transactions—including full PANs—to their accounting firm. Over regular, unencrypted email.
"But we trust our accounting firm," the controller protested.
"I'm sure you do," I replied. "But what about everyone in between? Your email server, their email server, every relay point along the way, their employees who might access it, the backup systems..."
We counted 17 different points where that email could be intercepted or accessed by unauthorized parties.
The fix took 2 days: implement SFTP, encrypt the file with PGP, automate the transfer. Total cost: $3,400. Potential breach cost: millions.
Wireless Networks: The Often-Overlooked Vector
Wireless encryption failures are responsible for more PCI DSS breaches than most people realize. Let me share what I've learned:
WiFi Security Requirements
Security Measure | PCI DSS Requirement | Common Mistakes |
|---|---|---|
Encryption Protocol | WPA2 or WPA3 | Using WPA or WEP (shockingly still happens) |
Authentication | WPA2-Enterprise with 802.1x | Using shared passwords (PSK) |
Network Segmentation | Cardholder data isolated from guest WiFi | Guest and internal on same network |
Change Default Settings | All defaults changed | Default SSID, admin passwords unchanged |
Strong Passwords | Complex, regularly changed | "Password123" - I've seen it |
Real Example: The Coffee Shop Breach
In 2018, I investigated a breach at a small business that had a coffee shop in the same building as their payment processing office. They offered free WiFi to customers.
The problem? Their payment processing systems were on the same network as the customer WiFi. An attacker sat in the coffee shop, connected to the free WiFi, and ran network scanning tools. Within 20 minutes, they'd identified the payment systems. Within an hour, they had access.
The business owner was devastated. "We're not a tech company," he said. "We just wanted to offer free WiFi."
The fix was simple: Network segmentation. We created three separate VLANs:
Guest WiFi (completely isolated)
Office network (non-sensitive)
Payment processing (cardholder data environment)
Cost: $2,800 for a managed switch and proper configuration.
Certificate Management: The Unglamorous Critical Control
I need to talk about something that sounds boring but causes massive headaches: certificate management.
The Certificate Lifecycle
Phase | PCI DSS Requirement | What I Tell Clients |
|---|---|---|
Inventory | Maintain complete inventory of all certificates | Use automated discovery tools - manual inventories are always incomplete |
Validity Period | Maximum 397 days (as of March 2025) | Set reminders for 60 days before expiration |
Issuance | Issued by trusted CA | Never self-sign production certificates |
Installation | Proper certificate chain | Test with SSL Labs or similar tools |
Renewal | Before expiration | Automate this or you WILL forget |
Revocation | Remove expired/revoked certificates | I've found 5-year-old certificates still in trust stores |
The $1.7 Million Certificate Expiration
This story still makes me cringe. A major retailer forgot to renew their payment gateway's SSL certificate. It expired at 2:37 AM on a Saturday morning.
When customers tried to check out, they got security warnings. Savvy customers left. Unsavvy customers clicked through the warnings... and exposed their card data to man-in-the-middle attacks.
The breach wasn't discovered until Monday morning. Over 40 hours of compromised transactions. Approximately 23,000 cards exposed.
The total cost exceeded $1.7 million. The certificate renewal? $149 annually.
I now advocate for automated certificate management systems for any organization processing payments. The tools typically cost $5,000-$25,000 annually depending on your environment size. Compared to a breach? Essentially free.
Strong Cryptography: What Does It Actually Mean?
"Strong cryptography" is PCI DSS terminology that confuses a lot of people. Let me demystify it based on the standard and my practical experience:
Approved Encryption Algorithms (As of PCI DSS v4.0)
Algorithm Type | Approved Options | Minimum Key Length | Notes from the Field |
|---|---|---|---|
Symmetric Encryption | AES, Triple-DES | AES: 128-bit, 3DES: 112-bit | Use AES-256 whenever possible; Triple-DES is deprecated |
Asymmetric Encryption | RSA, ECC | RSA: 2048-bit, ECC: 256-bit | ECC provides better security with shorter keys |
Hashing | SHA-256, SHA-512 | N/A | Never use MD5 or SHA-1 for new implementations |
Key Exchange | ECDHE, DHE | DHE: 2048-bit minimum | Perfect Forward Secrecy is required |
What NOT to Use (I Still Find These in 2024)
Deprecated Technology | Why It's Dangerous | What I've Seen |
|---|---|---|
SSL v2/v3 | Multiple critical vulnerabilities | Legacy systems that "can't be upgraded" |
TLS 1.0/1.1 | Vulnerable to BEAST, POODLE attacks | PCI DSS explicitly prohibits as of June 2018 |
RC4 cipher | Biases in keystream allow decryption | Still enabled on some servers "for compatibility" |
DES | 56-bit keys easily broken | Found in systems from the 1990s still processing payments |
MD5 | Collision attacks proven practical | Still used for "integrity checking" |
"I've seen organizations spend millions on the latest security tools while running payment systems on TLS 1.0. It's like installing a high-tech alarm system on a house with no locks on the doors."
Implementation Roadmap: How to Actually Do This
Based on implementing Requirement 4 for dozens of organizations, here's my proven approach:
Phase 1: Discovery and Inventory (Weeks 1-2)
Step 1: Map Data Flows Create a diagram showing every place cardholder data travels:
Web servers to application servers
Application servers to databases
Batch processes to payment processors
Reports to stakeholders
Backups to storage
I use tools like Wireshark, tcpdump, and network flow analyzers. Cost: $0-$5,000 depending on your environment complexity.
Step 2: Identify All Certificates Don't rely on what people remember. Scan your network:
# Tools I use regularly
- SSL Certificate Scanner
- Nmap with SSL enumeration
- Certificate inventory tools
A client once told me they had "about 20 certificates." We found 147. Many were expired, self-signed, or using weak encryption.
Phase 2: Gap Analysis (Weeks 2-3)
Assessment Area | Questions to Answer | Tools/Methods |
|---|---|---|
Encryption Coverage | Is every transmission path encrypted? | Network packet captures, flow analysis |
Protocol Versions | Are we using TLS 1.2 or higher everywhere? | SSL/TLS scanners, penetration testing |
Cipher Suites | Are weak ciphers disabled? | SSL Labs, testssl.sh |
Certificate Validity | Are all certificates properly issued and current? | Certificate inventory tools |
Wireless Security | Are all wireless networks properly encrypted? | WiFi security audits |
Phase 3: Remediation (Weeks 4-12)
Priority order based on risk:
Critical (Fix Immediately):
Any unencrypted transmissions of PAN over open networks
SSL/TLS 1.0 or 1.1 in production
Expired or self-signed certificates
WEP or WPA1 wireless encryption
High (Fix Within 30 Days):
Weak cipher suites enabled
Missing Perfect Forward Secrecy
Certificates from untrusted CAs
Inadequate key lengths
Medium (Fix Within 90 Days):
Certificate management process gaps
Wireless network segmentation issues
Documentation gaps
Phase 4: Validation and Testing (Week 13-14)
This is critical. I've seen organizations implement encryption but configure it incorrectly, leaving them vulnerable and non-compliant.
Testing Checklist:
Test Type | What to Verify | Tools I Recommend |
|---|---|---|
Protocol Testing | Only TLS 1.2+ accepted | SSL Labs, testssl.sh |
Cipher Suite Testing | Weak ciphers rejected | Nmap, OpenSSL s_client |
Certificate Validation | Proper chain, trusted CA, valid dates | SSL Labs, Certificate Checker |
Penetration Testing | Cannot intercept or decrypt traffic | Professional penetration test |
Wireless Testing | Strong encryption, proper segmentation | WiFi security tools, packet capture |
Phase 5: Ongoing Maintenance (Continuous)
Monthly Tasks:
Review certificate expiration dates
Check for new vulnerabilities in cryptographic protocols
Verify encryption configurations haven't changed
Quarterly Tasks:
Full certificate inventory audit
Cipher suite configuration review
Wireless security assessment
Update encryption policies based on new threats
Annual Tasks:
Comprehensive penetration testing
Review and update cryptographic standards
Evaluate new encryption technologies
Common Mistakes That Fail Audits
After conducting over 200 PCI DSS assessments, here are the mistakes I see repeatedly:
1. The "Internal Network" Assumption
The Mistake: "We don't need encryption on our internal network because it's secure."
The Reality: Your internal network is only as secure as your weakest employee credential, most vulnerable endpoint, or least-secure vendor connection.
What I Found: During a recent assessment, I discovered an organization had perfect external encryption but transmitted card data unencrypted between their web server and database. They were on different VLANs but the same physical network.
When I demonstrated a man-in-the-middle attack from a compromised workstation, capturing card data in real-time, the CISO's response was memorable: "Oh sh*t."
The Fix: Encrypt everything that touches cardholder data, regardless of where it travels.
2. The Legacy System Trap
The Mistake: "We can't upgrade that system—it's too old and the vendor won't support TLS 1.2."
The Reality: PCI DSS doesn't care about vendor limitations. If you can't make a system compliant, you can't use it for payment processing.
Real Example: I worked with a hotel chain still running a property management system from 2003. It only supported SSL 3.0. The vendor had gone out of business.
Options I Presented:
Replace the system ($340,000, 8-month project)
Implement a protocol translation gateway ($45,000, 6-week project)
Stop accepting credit cards (business death)
They chose option 2. It wasn't perfect, but it worked and was PCI compliant.
3. The Email Trap
The Mistake: Emailing reports, receipts, or reconciliation files containing cardholder data without encryption.
Frequency: I find this in approximately 60% of the organizations I assess.
Common Scenarios:
Daily transaction reports emailed to accounting
Exception reports sent to managers
Customer receipts with full card numbers
Reconciliation files to third parties
The Fix Matrix:
Content Type | Compliant Solution | Implementation Time | Cost |
|---|---|---|---|
Transaction reports | SFTP with encryption | 1-2 days | $500-$2,000 |
Exception reports | Secure portal access | 1 week | $5,000-$15,000 |
Customer receipts | Truncate PAN (show last 4 only) | 2-3 days | $1,000-$5,000 |
Reconciliation files | S/MIME or PGP encryption | 3-5 days | $2,000-$10,000 |
4. Certificate Management Chaos
The Mistake: No central inventory or monitoring of SSL/TLS certificates.
What Happens: Certificates expire unexpectedly, causing payment processing outages and potential security incidents.
Story: A payment processor I worked with had a certificate expire during peak shopping season (three days before Christmas). They were down for 7 hours while they scrambled to get a new certificate issued and installed.
Lost Revenue: Approximately $470,000 in that 7-hour window.
The Solution: Certificate lifecycle management system with:
Automated discovery and inventory
Expiration monitoring (60-day advance warning)
Automated renewal workflows
Alert escalation processes
Cost: $8,000-$25,000 annually depending on environment size.
ROI: One prevented outage pays for years of the service.
Advanced Topics: Beyond Basic Compliance
For organizations that want to excel, not just pass:
Implementing TLS 1.3
TLS 1.3 (released in 2018) offers significant security improvements:
Feature | TLS 1.2 | TLS 1.3 | Business Benefit |
|---|---|---|---|
Handshake Speed | 2 round trips | 1 round trip | 50% faster connection setup |
Encryption | Optional | Always enabled | Better security by default |
Forward Secrecy | Optional | Required | Past sessions protected if key compromised |
Cipher Suites | 37 suites | 5 suites | Simpler configuration, fewer mistakes |
I helped a large e-commerce site implement TLS 1.3 in 2022. Results:
Page load time decreased by 180ms average
SSL/TLS overhead reduced by 40%
Security posture improved significantly
Customer satisfaction scores increased
Quantum-Safe Cryptography
Here's something that keeps me up at night: quantum computers will eventually break current encryption algorithms.
Timeline Concern: Experts estimate 10-15 years until quantum computers can break RSA-2048.
The Problem: Attackers are collecting encrypted data now to decrypt later ("harvest now, decrypt later" attacks).
What I Tell Clients: If you're handling payment data that could be valuable for 10+ years, start planning your quantum-safe transition now.
Emerging Standards:
NIST Post-Quantum Cryptography Standards (finalized 2024)
Quantum Key Distribution (QKD) for high-value transactions
Hybrid classical-quantum cryptography approaches
Most organizations don't need this yet, but financial institutions and payment processors should be monitoring developments.
Cost-Benefit Analysis: The Real Numbers
Let me share actual costs from implementations I've led:
Small Business (Annual Revenue: $2M-$10M)
Component | Cost Range | Timeline |
|---|---|---|
Initial Assessment | $5,000-$15,000 | 1-2 weeks |
SSL/TLS Certificates | $200-$2,000/year | Ongoing |
VPN Setup | $1,000-$5,000 | 1 week |
Email Encryption | $2,000-$8,000 | 2 weeks |
Wireless Security | $1,500-$5,000 | 1 week |
Documentation | $3,000-$10,000 | 2-3 weeks |
Annual Maintenance | $5,000-$15,000/year | Ongoing |
Total First Year | $17,700-$60,000 | 2-3 months |
Mid-Size Business (Annual Revenue: $10M-$100M)
Component | Cost Range | Timeline |
|---|---|---|
Initial Assessment | $15,000-$40,000 | 2-4 weeks |
Certificate Management | $8,000-$25,000/year | Ongoing |
Encryption Infrastructure | $25,000-$100,000 | 4-8 weeks |
Secure File Transfer | $10,000-$35,000 | 2-4 weeks |
Network Encryption | $15,000-$60,000 | 3-6 weeks |
Consulting/Implementation | $40,000-$150,000 | 3-6 months |
Annual Maintenance | $25,000-$80,000/year | Ongoing |
Total First Year | $138,000-$490,000 | 4-9 months |
Enterprise (Annual Revenue: $100M+)
Costs scale significantly with complexity, but ROI improves with volume:
Component | Cost Range | Timeline |
|---|---|---|
Full Implementation | $250,000-$2M+ | 6-18 months |
Annual Maintenance | $80,000-$500,000/year | Ongoing |
But Consider This: A major enterprise breach costs $5-50 million on average. These numbers are insurance premiums.
Tools and Technologies I Recommend
Based on 15 years of implementations, here are my go-to tools:
Testing and Validation
Tool | Purpose | Cost | Difficulty |
|---|---|---|---|
SSL Labs | SSL/TLS configuration testing | Free | Easy |
testssl.sh | Comprehensive SSL/TLS testing | Free | Medium |
Wireshark | Network packet analysis | Free | Advanced |
Nmap | Network scanning, SSL enumeration | Free | Medium |
Burp Suite | Web application security testing | $449/year | Advanced |
Certificate Management
Solution | Best For | Approximate Cost |
|---|---|---|
Let's Encrypt | Small sites, automated renewal | Free |
DigiCert | Enterprise certificates | $300-$2,000/cert |
Sectigo | Mid-market balance | $100-$500/cert |
Venafi | Enterprise certificate lifecycle | $25,000+/year |
AWS Certificate Manager | AWS-hosted applications | Free |
Encryption Implementation
Technology | Use Case | Complexity |
|---|---|---|
OpenSSL | General-purpose encryption | High |
LibreSSL | OpenSSL alternative | High |
GnuPG | File and email encryption | Medium |
OpenVPN | Secure network connections | Medium |
StrongSwan | IPsec VPN implementation | High |
Your Action Plan: Starting Today
If you're responsible for PCI DSS Requirement 4 compliance, here's what to do:
This Week
Day 1-2: Quick Assessment
Run SSL Labs tests on all payment-processing URLs
Check TLS version on all systems handling cardholder data
Verify wireless network encryption settings
Review certificate expiration dates
Day 3-4: Documentation Review
Locate current network diagrams
Review data flow documentation
Check certificate inventory (if it exists)
Identify gaps in documentation
Day 5: Risk Assessment
List all systems transmitting cardholder data
Identify any unencrypted transmission paths
Prioritize risks by exposure and impact
This Month
Week 2: Immediate Fixes
Fix any critical findings (unencrypted transmissions, SSL/TLS 1.0/1.1)
Update expired certificates
Disable weak cipher suites
Week 3-4: Implementation Planning
Get quotes for certificate management solutions
Plan wireless network improvements
Budget for encryption infrastructure
This Quarter
Month 2: Implementation
Deploy encryption solutions
Implement certificate management
Upgrade wireless security
Configure network encryption
Month 3: Testing and Validation
Conduct penetration testing
Validate all encryption implementations
Update documentation
Train staff on new procedures
A Final Word from the Trenches
I started this article with a story about finding unencrypted card data on a network. Let me close with a different kind of story.
Last year, I assessed a mid-sized payment processor that had invested heavily in Requirement 4 compliance. They had:
TLS 1.3 across all systems
Automated certificate management
P2PE at all touchpoints
Perfect wireless segmentation
Comprehensive encryption policies
During the assessment, I ran every test I could think of. Packet captures, man-in-the-middle attempts, wireless attacks, certificate validation. Everything passed perfectly.
But the best part came during the interview with their CTO. "How did you get buy-in for this investment?" I asked.
He smiled. "I showed the board one thing: our cyber insurance premium. When we implemented proper encryption, it dropped 47%. The insurance savings alone paid for the entire program in 18 months."
"The best security investments aren't costs—they're insurance premiums that actually pay dividends."
Requirement 4 isn't just about compliance. It's about building a business that can thrive in an age where payment data is under constant attack.
The question isn't whether you can afford to implement proper encryption.
It's whether you can afford not to.