Plastic has earned its place among the gold, silver, and platinum as one of the world’s most precious metals. In the U.S., 80% of all purchases are made using credit or debit cards, and the total annual value of credit card purchases is nearly $4 trillion. That’s a lot of money! And every transaction made with a credit or debit card involves an exchange and processing of data that must be kept secure. To keep that data—and the associated consumer—safe, the Payment Card Industry Security Standards Council established and maintains the Payment Card Industry Data Security Standard, better known by its acronym, PCI DSS.
Enter PCI DSS
PCI DSS has been around since 2004 (v1.0) and is a tool used by those who handle payment card data to protect customer account information and is required by credit card companies, financial institutions, and their agents. must provide appropriate compliance validation documentation. The most recent update (v3.2.1) was adopted in 2018.
Compliance with PCI DSS involves the adoption of a number of security management policies and procedures, operation of a secure network architecture and software design, and include a requirement that any file transfer applications that handle credit card data be secure. A secure, managed file transfer (MFT) platform like Diplomat MFT fits the bill as it ensures key aspects of PCI DSS compliance, such as that data transfers are encrypted, that all transactions are auditable, and that the operator is alerted to any problems that occur during any part of the process. And with built-in process automation, Diplomat MFT minimizes the chance of data compromise through operator error.
When using an MFT platform to securely handle the transfer of credit card and payment card data, we recommend the following ten steps to ensure your data transfer processes are compliant with the requirements of PCI DSS compliance.
Ten Steps to PCI DSS Compliance
STEP 1: CREATE A SECURE CONFIGURATION
Secure file transfer requires a solution that spans the corporate firewall. One part of the solution, such as an SFTP server , must be outside the firewall and a secure managed file transfer solution must be inside the firewall.
STEP 2: CONTROL ACCESS
Both the SFTP server and the managed file transfer software must be designed and implemented to limit and monitor access when setting up file transfers, and when file transfer jobs are run. Create unique user accounts with strong passwords and multi-factor authentication if possible and follow best practices for security and administration management, including strict limits to user privileges based, restrict access to a limited set of IP addresses (if possible), and terminate inactive sessions.
STEP 3: AUTOMATE TRANSFERS
Automation reduces the risk of errors and limits access to sensitive information. Automation also enhances security by limiting access to sensitive information, such as user names, passwords, and pass-phrases.
STEP 4: AUTHENTICATE USERS AND PROCESSES
User authentication ensures that only a limited number of known users with unique privileges can access your managed file transfer solution, and captures user activity data each time file transfer set-up data is changed. Knowing when file transfer set-up data was changed and who changed it provides an audit trail that simplifies the tracking and correction of problems.
STEP 5: ENCRYPT FILES
Data files should be encrypted using a solid encryption standard like PGP™ in a secure area before transfer to an FTP or web server in the DMZ. Using secure transmission protocols only protects data in transit. As soon as files are at rest on a server in the DMZ, they are vulnerable to attack. Some FTP servers offer data encryption, but these solutions can create a security loophole by waiting until files are in an internet-accessible location before encryption.
STEP 6: SIGN AND VERIFY FILES
Signing and verification are the best way to guarantee non-repudiation of origin and to ensure decrypted files are safe to process. Verifying signatures on every file ensures that the files you receive have not been altered during transit and confirms the identity of the sender.
STEP 7: USE SECURE PROTOCOLS
Secure protocols protect logon data during each user access. File encryption protects your data, but does not protect the logon data used to access an FTP or web server. Secure protocols establish a secure connection with an FTP or web server before sending the logon data used to authenticate a user, such as usernames, passwords, and keys.
STEP 8: ARCHIVE ENCRYPTED FILES
Archived files are an essential component in providing the business a record of information that has been transferred. These archived files need to be equally as secure as the files that were transferred. Archival of encrypted files provides protection in case of an internal security breach, but you must be able to decrypt the archived files when they are needed.
STEP 9: CAPTURE AUDIT DATA
Audit data is required to demonstrate regulatory compliance, or confirm to a business partner the encryption key and destination location used by a specific file transfer job. Proving that you have a secure file transfer process can be an arduous task, and so audit data needs to be both comprehensive and easy to analyze, and capturing that data should be automated within the data transfer process.
STEP 10: MONITOR FILE TRANSFERS
Automating file transfer jobs does not guarantee that issues will not occur at run-time and so your file transfer solution needs to provide real-time information and automatically alert the user when a job does not run on schedule, is taking too long or fails to complete. Alerts should include the information (e.g., log entries) needed to diagnose and correct the problem. If a security breach occurs unrelated to a file transfer (e.g., an FTP server or encryption key has been compromised), the specific file transfer jobs affected may need to be suspended until the security breach has been corrected.
A Trusted Part of Many PCI DSS Compliance Programs
Coviant Software is trusted by many merchants, payment card organizations, and other organizations that handle highly sensitive information. Any process your organization establishes to comply with an industry standard or regulation, including PCI DSS, should be done with a trusted vendor and under the supervision of a qualified legal counsel, and we have nearly two decades of experience helping establish secure and reliable managed file transfer processes. We can help you, too.