PCI DSS (Payment Card Industry Data Security Standard) contains several requirements that deter organizations that process credit card data from using FTP for file transfers. Because it is so easy to use, file transfer via FTP remains one of the most widely used methods for sharing large files. However, PCI DSS compatibility can force you to abandon standard FTP.
What information does PCI DSS protect?
PCI DSS aims to protect the payment card industry’s account data. Account Data, Primary Account Number (PAN), cardholder name; expiration date, service code, full magnetic stripe data or its equivalent data on a chip, Card Security Code (CSC) depending on the brand of the credit/debit card, card verification data (CVD), card verification value (CVV or CVV2), card It consists of the verification value Code (CVVC) and associated payment card information such as PIN / PIN block.
Information considered as Account Data can be collected in two groups: Cardholder Data and Sensitive Authentication Data.
The existence of PAN is crucial in determining whether cardholder data is subject to PCI DSS requirements. The PCI DSS requirements apply when you store, process, or transmit the PAN along with any other cardholder data.
Assessing your file transfer system requires identifying vulnerabilities regarding cardholder data. Improvement refers to risk mitigation activities that reduce or eliminate the risks associated with vulnerabilities. Reporting includes compiling the records required by PCI DSS and submitting them as compliance reports to the receiving bank and all relevant global payment brands.
PCI DSS Compliance for File Transfers
In this article, we’ll take a closer look at these requirements to see the options for those who are still struggling to get rid of FTP technology.
PCI-DSS requirements dealing with FTP are as follows,
FTP is mentioned in two requirements in the PCI-DSS standard, requirements 1.1.6 and 2.2.3.
PCI DSS requirement 1.1.6 requires you to document and provide a business rationale for the use of permitted services, protocols, and ports. It also needs you to document the security measures you’ve put in place for protocols that are deemed insecure, such as FTP.
In other words, if you need to use FTP, you need to state your business rationale with a written document explaining why it is necessary for your job. Before revealing the business rationale, your organization must be aware of FTP’s vulnerabilities and associated risks.
The known security vulnerabilities of FTP are that it transmits user names, passwords, and sensitive data in plain text, and therefore, sensitive data such as credit card information can be captured during the transfer.
After considering all the risks and benefits, if you find that the risks are too high and the potential damage far outweighs the benefits, you should stop using FTP.
On the other hand, if you find it necessary to use FTP, you should document FTP-related ports and firewall settings. Documentation of related links is in addition to the business rationale. It serves as a reference resource in situations such as audits, change of network administrators, or any other changes in your organization.
Also, PCI DSS requirement 1.1.6 requires you to document the security features implemented to mitigate the risks in FTP file transfers so that the security measures you implement must be in place. In fact, the implementation of these security features is explicitly mentioned in 2.2.3.
As mentioned above, PCI DSS requirement 2.2.3 is closely related to 1.1.6. You’ll also see PCI-DSS here, which requires you to implement security features on unsecured services like FTP. There are even mentioned some possible secure technologies you can apply, such as SSH and SSL.
You should implement appropriate security measures for required services, protocols, or background procedures that are considered unsafe according to PCI DSS requirement 2.2.3. For example, to protect unsafe services such as file sharing, you must use secure technologies such as SSH, S-FTP, TLS, or IPSec VPN.
What is PCI DSS Compliant File Transfer?
PCI-DSS is attempting to convey that using FTP is not forbidden. The use of simple FTP is prohibited. If you enhance your FTP file transfer system’s security using secure technologies such as SSL or SSH, you can still achieve PCI DSS compliance.
There are widely accepted FTP implementations based on SSL and SSH for security. You can use FTPS for SSL, but you can also use SFTP for SSH, which is technically a completely different protocol than FTP. Among other security features, both of these services support data encryption and server/client authentication.
Almost all FTP clients currently support SFTP and FTPS. In short, for PCI DSS compatibility, all you need is to change your FTP server. But you must also meet all other PCI DSS requirements with a wide variety of security features that affect file transfers in general.
How does PCI DSS Compliance Protect Your File Transfers?
File transfers are widespread among specific organizations that process credit card data. For example, many retailers that accept credit cards not only store and process cardholder data. Most of the time, these retailers must send data internally or externally from different company departments to merchant facilities, financial agencies, and payment processors, all of whom will need to exchange similar data.
Unfortunately, these data transfers are mostly performed using protocols such as FTP, Telnet, POP3, IMAP, or SNMP that are not completely secure, and methods that lack security elements such as encryption, strong passwords, authentication, and anti-malware.
This is where PCI DSS can help. Using the PCI DSS requirements as a guide, you can identify your vulnerabilities and learn about precautions. Of course, the entire PCI DSS standard is designed for a comprehensive compliance activity covering all system components in your organization.
When should you include your file transfer system in your PCI Scope?
Before making an adequate assessment of your compliance with your PCI DSS requirements, you must first determine the assessment’s scope. Once you’ve defined the scope, you know where the PCI DSS requirements should be applied. Narrowing the focus of your compliance efforts will save you time, money, and human resources not only during PCI audit but also during improvement and reporting.
To begin with, all system components that belong to or depend on your cardholder data environment (CDE) are covered by the PCI DSS requirements and should therefore be part of your assessment. All of the individuals, processes, and technology in your organization that store, process, or transmit cardholder data or sensitive authentication data make up your cardholder data environment.
On the other hand, system components can refer to:
- Network components (firewalls, switches, routers, etc.)
- Servers (web servers, database servers, proxy servers, file transfer servers, etc.)
- Apps (all purchased and custom apps)
Therefore, if you discover that your file transfer system belongs to the CDE or is connected to the CDE, your file transfer system will also be covered by the PCI DSS assessment.
Even if your file transfer system is not commonly used to transmit cardholder data, it is not reason enough to exempt you from your PCI assessment scope. Unless your file transfer service is isolated from your CDE in a separate network segment through firewalls, routers, and robust access control lists, cardholder data is still likely to be transmitted through your file transfer systems. It should therefore be included in your PCI DSS assessment scope.
Note that virtualization components are also considered system components. Therefore, if the file transfer system in question runs on a virtual server rather than a tangible server, the PCI DSS requirements will still apply.
If the file transfer system you are using does not support enough features to meet the requirements outlined in the items above, you may have to bring other technologies or applications. Additional software and technologies will make it more difficult because you must configure each one individually to ensure compliance with the PCI DSS specifications.
Also, you may need to do system integration to get these applications to work together. For this reason, it is best to implement a file transfer system that already meets most, if not all, requirements. You can simplify management by minimizing or eliminating complex system integration tasks.
How Should Secure File Sharing be for PCI DSS?
Whether you send large files to a colleague across the room or a customer worldwide, every business needs secure and efficient file sharing.
However, how can you make the file transfer process PCI DSS compliant with the developing technologies and increasing business needs? Let’s take a look at the most crucial factors to consider when transferring files:
Encryption is an essential aspect of secure file sharing. Simply put, encryption means that if a malicious man succeeds in intercepting your data, whether it is in transit or stored on the server, they will not be able to understand your data. All that malicious people will see it is an encrypted code.
Only people with decryption keys can decrypt and understand the data.
Most file-sharing providers these days offer some form of encryption to keep your data safe. However, be aware that there are different types of encryption. For complete security, you can use PGP encryption during file transmission and AES-256 encryption at standby.
Having secure passwords is the foundation of security. Still, most businesses neglect this essential aspect. Hackers and untrustworthy people can easily access your networks and potentially your files if you don’t use secure passwords.
Therefore, to keep your user accounts as secure as possible, you should create a file-sharing system and process that enforces the insistence on secure, complex multi-character passwords.
If you want to make sure that the proper files are seen by the right people and that sensitive data is not leaked, you should use data transfer software to track all your business shares.
A simple system that allows you to track where files go and limit who can view them if necessary would be a great way to maintain tight security levels in your business.