7 Ways to Supercharge Your PCI DSS Compliance Strategy with Managed File Transfer Software

“The average cost of an enterprise data breach comes to more than $3.6 million […]”

Ponemon Institute, 2017 Cost of Data Beach Study

Companies face a constant battle in their quest to mitigate expensive data breaches. Companies that store, process, or transmit credit card data, also, referred to as Primary Account Number (PAN) data, must comply with the requirements of the Payment Card Industry Data Security Standard (PCI DSS).

Learn 7 ways to use managed file transfer to facilitate PCI DSS complianceCompliance violations can cost a company fines ranging from $5,000 to $100,000 USD per month, depending on a company’s transaction volume and number of compliance violations. (Lexology, PCI DSS and Cyber Risk – Beware What Lurks Below the Surface) On top of non-compliance fines, there are also investigative costs, PCI assessments, merchant obligations, and security demonstration costs.

Failure to comply with the standard can result in the organization losing its credit card privileges, being fined, or taking major hits to its reputation. Being in compliance with the PCI DSS places your company in a position to better protect your customers’ highly sensitive credit card data and prevent expensive noncompliance fines.

Among the PCI DSS Requirements that organizations are required to meet include:

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data and sensitive information across open public networks
  • Use and regularly update anti-virus software
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by business need to know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that addresses information security for all personnel.

If you’re currently not compliant with PCI DSS or if you are (or will soon be) required to comply, consider the power of a managed file transfer (MFT) platform to simplify the process.

Keep Transfers Secure and PCI Compliant with MFT

When integrated with its High Security module, Auditing and Reporting module, and DMZ Gateway®, Globalscape’s MFT platform, Enhanced File Transfer™ (EFT™) facilitates compliance with applicable PCI DSS requirements. The PCI DSS requirements related to physical security and cardholder database security are not applicable to EFT; however, you should place the server computer in a secured area, such as a locked server room or network operations center.

The PCI DSS prohibits direct public access between the Internet and any system component in the cardholder data environment, and does not allow inbound connections to originate from untrusted into trusted zones. DMZ Gateway easily solves both of these problems. Using a two-way connection originating inside EFT, the DMZ Gateway acts as a communication proxy that replaces inherently insecure inbound connections from the Demilitarized Zone (DMZ) to your network.

With a secure file transfer platform in place, an organization can avoid a great deal of expensive and time consuming problems, from lawsuits to data breaches, and noncompliance fines, among others. By using a MFT solution you can keep your customers valued and protected payment data secure, while still meeting and maintaining the necessary regulations, like PCI DSS. Listed below is a look at how Globalscape’s MFT software can help facilitate PCI compliance:

1.   Protection of Data at Rest and in Transit

Unlike store-and-forward technologies, our DMZ Gateway does not store or process data. It acts as a liaison between external connections and your internal network, ensuring that your data remains safe behind the firewall for EFT to store and process. Your data remains secure because it’s never stored in the DMZ.

2.   Strong Encryption Ciphers and Keys

Encrypting remote administrative access using strong cryptography is also a requirement for PCI DSS compliance. EFT will warn if SSL is not enabled and give you the opportunity to either disable remote access or enable SSL. SSL is restricted to versions v3 or higher, and ciphers to minimum of 128 bits. Secure data transmission is enforced by automatically redirecting incoming HTTP traffic to HTTPS.

3.   Data is Stored and Disposed of Securely

Cardholder data must be disposed of when no longer required, and EFT provides a "cleanup" action to automatically purge files and overwrite data using encrypted and/or pseudorandom data. Additionally, user disk quotas can be configured to limit data storage.

Of course, one of the best ways to protect data is to limit who has access to it.

4.   Controlled Access to Data

EFT provides complete control over administrator and user access to resources, with administrator accounts completely segregated from user accounts. The standard requires that you establish an access control system for systems components with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.

  • Segregation and control of user access is achieved in EFT using unique accounts, permission groups, virtual folders, and settings templates.
  • Segregation and control of administrator access is accomplished via delegated, role-based administrator accounts.

5. Granular Administrative Control

EFT enforces unique usernames for both users and administrators, provides granular administrative controls over user provisioning and authorization, allows user and admin account revocation, provides automatic removal of inactive users after 90 days, includes controls for temporarily enabling/disabling users, auto-locks users after six failed login attempts, either for a period of time or permanently until the admin unbans the IP address, and automatically expires sessions after 15 minutes of inactivity.

6.   Continued Compliance Accountability

EFT scans all PCI DSS requirements that are addressed in EFT, and then reports on the compliance status of each requirement (Pass, Fail, or Warning). With the Auditing and Reporting module, EFT can automatically generate a daily or weekly PCI DSS Compliance report and email it to the appropriate recipient(s). The report is organized by PCI DSS requirement, making it easy for auditors to follow.

7. Don't Use Vendor-Supplied Defaults

The PCI DSS requires that no vendor-supplied defaults are used for things like ports and banner messages. With the strict security settings enabled, EFT detects whether any default values are specified and prompts you to change them. If you choose to keep the default settings (not recommended) you can note which "compensating controls" are used instead, and that information is provided in the PCI DSS report that you can share with auditors.

Take the Next Step

Facilitating PCI DSS compliance is a challenge for most organizations. Through Globalscape’s EFT platform and the High Security module, meeting PCI DSS compliance is achievable.  

Contact a Globalscape solution specialist today to learn how you can facilitate PCI DSS compliance with EFT.


Whitepaper: Are You Ready for the Latest PCI Release?