The PCI DSS (Payment Card Industry Data Security Standard) is a set of comprehensive requirements for enhancing payment account data security and is intended to help organizations proactively protect customer account data. It was developed and is maintained by the major credit card companies through the PCI Security Standards Council and helps facilitate the broad adoption of consistent data security for credit card data. Each entity that has a contractual relationship with credit card companies, financial institutes, or their agents must provide appropriate compliance validation documentation.
The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. These security requirements apply to all system components, including file transfer applications that handle credit card data.
The PCI DSS has 12 major requirements. Below are the specific implementation requirements that pertain to a secure file transfer implementation and the features to look for in a secure file transfer solution.
REQUIREMENTS |
Secure File Transfer Solution |
Requirement 1: Install and maintain a firewall configuration to protect cardholder data. |
1.13 |
Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone. |
Secure configuration |
1.2 |
Build a firewall configuration that denies all traffic from “untrusted” networks and hosts, except for protocols necessary. |
Secure configuration |
1.3 |
Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data. |
Secure configuration |
1.3.4 |
Placing the database in an internal network zone, segregated from the DMZ. |
Secure configuration |
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. |
2.2.3 |
Configure system security parameters to prevent misuse. |
Control access |
2.3 |
Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS… |
Control access |
Requirement 3: Protect stored cardholder data. |
3.4 |
Render PAN (Primary Account Number), at minimum, unreadable anywhere it is stored by using… |
Archive encrypted files |
3.5 |
Protect encryption keys used for encryption of cardholder data against both disclosure and misuse. |
Encrypt files |
3.5.1 |
Restrict access to keys to the fewest number of custodians necessary. |
Encrypt files |
3.6 |
Fully document and implement all key management processes and procedures for keys used for encryption of cardholder data, including… Generation of strong keys. Secure key storage. Periodic changing of keys. |
Encrypt files |
Requirement 4: Encrypt transmission of cardholder data across open, public networks. |
4.1 |
Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks. |
Use secure protocols |
Requirement 7: Restrict access to cardholder data by business need-to-know. |
|
|
Automate transfers |
Requirement 8: Assign a unique ID to each person with computer access. |
8.1 |
Identify all users with a unique user name before allowing them to access system components or cardholder data. |
Control access |
8.2 |
In addition to assigning a unique ID, employ at least one additional method to authenticate all users… |
Authenticate users/processes |
8.4 |
Encrypt all passwords during transmission and storage on all system components. |
Control access |
8.5 |
Ensure proper user authentication and password management for non-consumer users and administrators on all system components … |
Control access |
Requirement 10: Track and monitor all access to network resources and cardholder data. |
10.1 |
Establish a process for linking all access to system components to each individual user. |
Capture audit data |
10.2 |
Implement automated audit trails for all system components to reconstruct the following events… |
Capture audit data |
10.3 |
Record at least the following audit trail entries for all system components for each event… |
Capture audit data |
Requirement 12: Maintain a policy that addresses information security for employees and contractors. |
12.5.2 |
Monitor and analyze security alerts and information, and distribute to appropriate personnel. |
Monitor file transfers |
12.9 |
Implement an incident response plan. Be prepared to respond immediately to a system breach. |
Monitor file transfers |
