Customer data needs to be encrypted both in transit and at rest. Fortunately, many software applications have system settings that can be configured to accomplish this at no cost. A review of the systems inventory should shed some light on where the data resides the requires encryption.
314.4 (c) (3)
Protect by encryption all customer information held or transmitted by you both in transit over external networks and at rest. To the extent you determine that encryption of customer information, either in transit over external networks or at rest, is infeasible, you may instead secure such customer information using effective alternative compensating controls reviewed and approved by your Qualified Individual;
Mosaic has partnered with a The Isidore Group, a managed service provider, to help you implement all your encryption needs, in transit and at rest.