12.1 If the payment application sends, or facilitates sending, cardholder data over public networks, the payment application must support use of strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and, internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks.
Examples of open, public networks that are in scope of the PCI DSS are the Internet, WiFi (IEEE 802.11x), global system for mobile communications (GSM), and general packet radio service (GPRS).
PCI Data Security Standard Requirement 4.1
Testing Procedures:
12.1.a If the payment application sends, or facilitates sending, cardholder data over public networks, verify that secure encryption transmission technology (for example, IPSEC, VPN or SSL/TLS) is provided, or that use thereof is specified.
12.1.b If the payment application allows data transmission over public networks, examine PA-DSS Implementation Guide prepared by the vendor, and verify the vendor includes directions for customers and resellers/integrators to use secure encryption transmission technology (for example, IPSEC, VPN or SSL/TLS).