Open, Public Networks are a Misnomer
So why do our standards continue to pretend they exist?
I recall reading version 1.0 of the PCI DSS back in the mid-2000s. I remember reading something along the lines of, "protect cardholder data with strong cryptography during transmission over open, public networks.” I remember reading this and thinking, “Wow, payment data really doesn’t have to be encrypted on internal networks?”
I figured the PCI Council was easing us into the new standards and its hundreds of highly prescriptive requirements. “Surely we’ll be required to encrypt internal traffic in the next version,” I thought. It didn’t come in version 1.1 or 2.0. It didn’t come in 3.0, and now that 4.0 is here, it’s still apparently okay to let payment data get transferred unprotected, as long as it is on a “private” network.
The thing is, there aren’t really any “public” networks. Frustratingly, we can’t really consider anything truly “private” either.
The original reason we created this public/private nomenclature was all about control. Private networks were ones that were entirely controlled by one organization. Public networks were those where multiple organizations handed off our network traffic for it to get from point A to point B. The Public Internet, in other words. In theory, since this traffic crosses the network of untrusted organizations (ISPs, telecoms, government-owned utilities in some cases), these untrusted parties could capture the traffic crossing their segment of the public Internet and abuse or misuse it.
In reality, it wasn’t practical for malicious parties to compromise these networks to access this juicy, unencrypted data. It was far easier to attack target organizations directly to get access to this data. When TJX’s internal networks were compromised, the PCI Council responded (4 years later) by treating wireless networks as “public” networks, rather than treating internal networks as untrusted.

Not long after that time, John Kindervag introduced the concept of Zero Trust - a philosophy that assumes networks and other resources should be inherently untrusted. In another five years, cybercriminals would shift to organization-wide extortion tactics using ransomware. Ransomware attacks require access to “private” networks and systems and are so common that most ransomware attacks don’t even appear in the news anymore.
It is long past time to stop pretending that any network can remain private. We can’t keep pretending that “internal” networks are safe enough to send sensitive data in the clear. Encrypting data in transit should be considered basic hygiene and ubiquitous.
The really painful bit is that encrypting data on the wire doesn’t really solve anything. Attackers aren’t breaking weak transport encryption or stealing data by capturing packets - they compromise hosts, log into databases, and grab data off file systems.
Sadly, it seems we’ve got significant catching up to do, and that will take a lot of effort. Even more SADLY, this effort likely won’t get us very far.
To continue the conversation, either comment here, or check out my LinkedIn post on this topic!
Good post. I had to help a restaurant chain with PCI compliance years ago when I was working in managed service. It feels crazy that PCI-DSS is this far behind on this area. Reminds me of how years ago cyber defenses were all about defending the perimeter. Now it's far easier, and much better ROI, for attackers to compromise a user through social engineering and perimeter defenses are not even on the playing field.