Protecting communicated cardholder data
If cardholder data must be communicated over an untrusted network, such as the Internet, use the FortiGate unit’s IPsec VPN capability to exchange the data securely. If you support customer on-line transactions, use HTTPS (SSL or TLS encryption) for security. The relevant PCI DSS requirement is:
• Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks. (4.1)
This does not prescribe particular cryptography, but it can be interpreted as a requirement to follow industry best practices.