How to Ensure Your SFTP Is PCI Compliant

How to Ensure Your SFTP Is PCI Compliant

If you are currently using FTP or even a legacy SFTP solution to transfer files and accept credit or debit card payments, you may want to consider a switch to avoid possible PCI compliance risks. An FTP solution is very unlikely to be PCI compliant and an SFTP solution can meet PCI DSS requirements as long as certain protocols are implemented to protect credit card data being transferred. In this blog post, we’ll explore PCI compliance, compliance requirements for SFTP solutions, and “must have” features that will enable organizations to stay on the right side of PCI compliance.

PCI Compliance Overview: Why It’s Important

PCI DSS is a compliance framework for processing payments and handling credit card and debit card information. Developed and maintained by the Payment Card Industry Security Standards Council, PCI outlines the physical, administrative and technical safeguards that retailers and merchants must abide by to process credit cards as forms of payment.

Some compliance regulations, like HIPAA and FedRAMP, are required by law for certain industries. PCI, however, doesn’t have the force of law behind it. Instead, it relies on the credit card networks to self-legislate disputes and compliance while also levying penalties like fines or revocation of payment processing capabilities.

The core focus of the framework is to ensure that customer data is protected from theft or disclosure during payment. Private customer data includes items like:

  • Customer names, phone numbers and addresses
  • Credit card numbers, expiration dates and CVC verification codes
  • PINs, authentication codes and any information contained on magnetic stripes or EMV chips

With that in mind, the framework defines 12 primary requirements that your organization must have in place to properly handle user data. While not all of these apply to all technologies, when it comes to filing storage and transfers there are a few critical ones, including:

  • Protecting stored cardholder data
  • Encrypting data transmissions on public networks
  • Tracking and monitoring all access to network and data resources
  • Developing and maintaining secure applications

Within the last few decades, increasingly complex technologies and shopping storefronts have changed how people buy things. Where once this kind of technology could be focused on POS machines, card scanners and on-prem servers, now consumers are shopping online, buying subscription services and using mobile devices.

Because of that, card networks now define security controls that allow merchants to process payments through online portals and mobile devices (including multi-factor authentication that leverages built-in biometrics like fingerprint scans and facial recognition). This, in turn, means that customer data is stored, transmitted and utilized in a variety of ways, including for business purposes.

How PCI Compliant File Transfer Protects Cardholder Data

PCI DSS compliance helps protect your file transfers by requiring organizations to take specific security steps to protect cardholder data. These steps include encrypting transmissions of cardholder data across open, public networks; using firewalls to protect cardholder data; regularly monitoring and testing networks; implementing access controls to prevent unauthorized access to cardholder data; and regularly assessing networks to identify and address vulnerabilities. Organizations that comply with the standard also must ensure that all service providers, vendors, and third-party agents are compliant. By taking these steps, organizations can better protect their cardholder data and the data of their customers.

How Secure Should File Transfer Be for PCI DSS?

Secure file transfer should adhere to the PCI DSS requirements. Requirements include the use of PCI-compliant encryption, secure authentication methods, secure network connections, the ability to audit and track access, and the ability to restrict access to only those users who need to access the data. PCI DSS-compliant file transfer, like SFTP and managed file transfer (MFT) should also demonstrate that the data is stored securely and that data integrity is maintained. Lastly, the ability to delete the data when it is no longer needed should also be an integral part of the system.

The Difference Between SFTP and FTPS

You may see some solutions advertise both SFTP and FTPS as part of their encryption package. Both are described as secure FTP protocols, and while these technologies share some similarities, there are also some key differences between the two:

  • FTPS is FTP with Secure Socket Layers (SSL) technology added. This means that you’re essentially using FTP over a secure connection (SSL) with everything that entails, including multiple separate socket connections and required passwords and certificates. It also means that FTPS may not play well with a uniquely customized firewall.
  • SFTP uses Secure Shell (SSH) technology for encryption. This means that SFTP isn’t just FTP with security added–it is an entirely separate method of secure file transfer than FTP. That includes the ability to transfer data over a single connection–and that means simpler adoption and integration with complex security systems that include firewalls.

Both of these protocols can be used as part of a secure and compliant system. However, when working with multiple security needs and compliance requirements, SFTP can simplify how you secure your applications and integrate them into your system.

How to Incorporate PCI Compliant File Transfer into Your PCI Scope

PCI scope is the term used to describe the extent and areas of an organization where the Payment Card Industry Data Security Standard (PCI DSS) applies. PCI scope is determined by the number, type, and location of the system components that store, process, or transmit cardholder data. Examples of system components include servers, endpoints, firewalls, and databases. All system components that are within the scope of PCI DSS must follow the requirements of the standard in order to be compliant.

Once organizations have identified their PCI scope, they can plan how they’ll demonstrate compliance. Examples include implementing data security measures such as encryption and tokenization, conducting regular vulnerability scans, and establishing access control measures to restrict access to only authorized personnel. They should also audit system logs and maintain up-to-date network diagrams to provide visibility of all system components within the scope of PCI DSS. Additionally, organizations should provide staff training on security policies and procedures, and regularly test their incident response plan.

PCI Compliance and SFTP Security

When your business uses customer data internally for any reason, they still must abide by the payment processing rules and regulations. And, typically, businesses use PCI compliant file sharing solutions like SFTP.

Fortunately, SFTP can be a part of a PCI-compliant solution because it provides the necessary controls:

  • Encryption: Customer data must be encrypted in the server and during transmission. SFT provides this level of encryption (with the right configuration). With the use of SSH, a properly configured SFTP server can protect customer data.
  • Server Data Logging and Audits: Part of PCI compliance is having data and audit logging in place. According to PCI requirements, you must monitor data access. This includes having an audit policy and ways to trace audit logs in case of breaches.
  • Restricting Access to Data: Not everyone in your organization needs access to cardholder data. Regulations state that you have a way to restrict user accounts based on the data they need to access.
  • Standardize Connections Between Machines: Card networks expect you to have all of these safeguards (and more) present in any place where data is moving or stored. SFTP is an established, easy to use and easy to configure technology that can work between POS machines, card scanners, servers and workstations.

What Are the Penalties for PCI Non-compliance?

Since PCI DSS isn’t a federally mandated framework, you’re not going to face the extreme penalties of other compliance regulations. However, noncompliance can cost you dearly and damage your reputation with customers and credit card companies. Some of the penalties are:

  1. An Unsecured System: PCI is meant to promote system security. If you aren’t meeting the bare minimum of the compliance requirements, you could be exposing your customers’ data to theft.
  2. Monthly Fines: If you want to process credit cards, you need the support of credit card processors like Visa, Mastercard and American Express. If you aren’t compliant, they will take a few steps before outright banning you from processing payments. This includes the levy of monthly fees so long as noncompliance lasts, up to $5,000-$100,000 per month.
  3. Damaged Merchant Account and Customer Reputation: If you aren’t compliant, you could be facing many breaches. As we all know from examples like Target or Sony, a major breach can become a huge hit to your brand’s image. Likewise, regular noncompliance can impact your merchant account with credit card processors due to a high rate of fraud and chargebacks.

The bottom line is that you don’t want to damage your reputation or pay monthly fines just to process card data without compliant systems.

Kiteworks Helps Organizations Achieve PCI Compliance With Secure File Transfer

Kiteworks’ SFTP server allows organizations to protect credit card numbers and other customer account information when they share it with trusted third parties, in compliance with PCI DSS 4.0.

Unlike other SFTP solutions, SFTP is fully integrated with the Kiteworks platform. This means it benefits from the platform’s built-in security, compliance, and visibility features. It also offers deployment options both on-premise and in the cloud, and supports scale-out and high availability configurations. Kiteworks’ unified infrastructure, administration, policy controls, logging, and audit features simplify compliance and lower costs. This is a key differentiator as not all SFTP solutions provide such comprehensive compliance and audit capabilities.

Kiteworks’ SFTP includes:

  • Security and Compliance: Kiteworks supports all 12 PCI requirements, meaning that you can use our MFT and SFTP technologies (including encrypted file transfers and secure servers) for PCI-compliant file sharing and storage. The Kiteworks hardened virtual appliance saves you the time and effort of hardening and testing the system yourself.
  • Data Visibility and Management: The Kiteworks CISO Dashboard gives you an overview of your data: where it is, who is accessing it, how it is being used and if it complies. Help your business leaders make informed decisions and your compliance leadership maintain regulatory requirements.
  • Audit Logging: PCI DSS 4.0 requires logging events in your system. With the Kiteworks’ immutable audit logs, you can detect attacks sooner and that you’re maintaining the right chain of evidence to perform forensics. Since the system merges and standardizes entries from all the components, its unified syslog and alerts save your SOC team crucial time while helping you maintain critical compliance requirements for reporting.

To learn more about Kiteworks SFTP and how it can help your organization demonstrate PCI DSS 4.0 compliance, schedule a custom demo of Kiteworks today.

Additional Resources

 

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.

Lancez-vous.

Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

Comienza ahora.

Es fácil empezar a asegurar el cumplimiento normativo y gestionar los riesgos de manera efectiva con Kiteworks. Únete a las miles de organizaciones que confían en su plataforma de comunicación de contenidos hoy mismo. Selecciona una opción a continuación.

Table of Content
Share
Tweet
Share
Explore Kiteworks