Managed File Transfer & PCI DSS Compliance

June 15, 2021 Security and Compliance, MOVEit

Sometimes we do things not because we want to but because we must. While there's often a temptation to violate regulations and "test the waters," deep down, we feel relieved because we know we're on the good side of the law, and that's what matters. One word for that: compliance.

That is often the case in the financial industry.

In an environment where highly delicate cardholder data (think: cardholder name, service name, primary account number, and more) changes hands often, there need to be some rules defining how companies are supposed to handle such data while ensuring compliance.

One such "rule" is the Payment Card Industry's Data Security Standard (PCI DSS).

PCI DSS Compliance: Stripping It Down to Its Bare Essentials

Just like its name suggests, PCI DSS refers to a set of internationally recognized requirements intended to ensure all enterprises that handle, transmit, or store credit card information do so in a secure, trusted environment.

PCI DSS was created for organizations in the financial sector, key among them being acquirers, service providers, banks, merchants, issuers, and processors.

The gist here is simple—cardholder data remains one of the most targeted, vulnerable, and sensitive types of information on the planet. Hackers and bad actors are always lurking, trying to see who has left their cardholder data door unlocked.

That's precisely why PCI DSS was developed. Quoting the words of the PCI Security Standards Council, PCI DSS was created to "encourage and enhance data security and facilitate the broad adoption of consistent data security measures globally."

As you might have already guessed, this regulatory standard seeks to protect consumers and finance sector businesses against credit and debit card fraudsters.

Despite the apparent benefits that PCI DSS compliance brings forth (think: reduction in card theft accidents, increased trust with partners, and more), some companies still choose to look the other way. The repercussions of such a move can be devastating, especially if your non-compliant firm suffers a data breach. That is a path you don't want to follow.

Managed File Transfer & PCI Compliance: What It Takes

PCI DSS is currently comprised of twelve key requirements. Key concerns of the standard concerning managed file transfers include:

  • Developing and maintaining secure applications and systems
  • Protecting cardholder data at rest
  • Controlling access to cardholder data
  • Encrypting cardholder data in transit

Let's take an incisive look at each one of these regulatory requirements.

1. Protecting Data at Rest

That almost sounds like a no-brainer.

The first thing you can do to protect restful cardholder data is to cut down its storage in your on-premises networks and systems. A lot can go wrong in such a fast-paced, multi-faceted, dynamic environment.

Instead, create protocols limiting the amount of cardholder data stored in-house and the time it's kept. Only remain with the data you and your team need to fulfill core operational requirements.

When it comes to outdated data, you need to lay down strategies, protocols, and guidelines to ensure its secure deletion.

For any cardholder information that needs to be kept in-house, you should protect it with appropriate cryptographic key management, end-to-end database encryption, and proper documentation of all your security protocols. Easy-peasy!

2. Encrypting Cardholder Data in Transit

Ever watched Money Heist? Of course, you have! We can learn from the 3-season blockbuster series that anything in transit is always harder to protect compared to that which is on-premises. If anything, the Professor and his team almost always found it easier to steal money than they did ferrying it. Anything could have happened to their "hard-earned" money out there.

That's precisely why PCI DSS Section 3 is so strict about encrypting data in transit.

The first thing to do is to encrypt all of your cardholder data so that when it's traversing poorly-secured open public networks, bad actors won't pounce on it. Any reluctance here, and you'll be on the wrong side of PCI DSS compliance.

That said, secure transmission of traveling cardholder data doesn't happen in a vacuum; it requires reliable keys and certificates, reinforced encryption, and secure file transfer using HTTPS and the AS1, AS2, and AS3 protocols.

FTP alone won't do the trick here. To move your files securely and effectively, opt for secure FTP over SSH2 (SFTP and SCP2) or FTP over SSL (FTPS). The choice is yours.

As for the requisite certificate and keys, you'll need to verify that they're trusted, kept, and managed appropriately.

3. Controlling Access to Cardholder Data

"Controlled access" Hmm. Have many times have you heard this term? In as much as it sounds cliché, PCI DSS Requirement 7 takes no chance regarding adherence to access control protocols.

For utmost compliance, start from the ground up—ensure that verified persons can only access cardholder data. Also, ensure that you have the appropriate processes and protocols to regulate access based on job duties and business requirements.

PCI DSS also advocates for a managed access policy. Do this from a granular level, comprehensively defining the different user access roles in your enterprise (CTO, employee, and more) and defining which part of your application (in our case, the managed file transfer solution) they can access.

Depending on your ecosystem, you might also need to allocate "least" access rights to all user accounts. The gist here is that you give every party only enough access to the particular system or module they need to meet their core job functions.

Documentation should be a standard feature throughout. Whenever a user changes their internal role, don't forget to document the change and adjust its access rights as needed.

4. Developing and Maintaining Secure Systems and Applications

We couldn't leave out this aspect of PCI, could we?

Bad actors will never stop looking for security loopholes to exploit, so security should be an ongoing initiative in all of your virtual or managed file transfer environments.

PCI DSS acknowledges this, too. That's why it emphasizes the need to have appropriate security patches deployed within a specified period to protect the overly-sensitive cardholder environment.

Bear in mind that this regulation applies to all applications/modules in your environment, not just the ones you've developed in-house or the ones you've outsourced.

Ensure Holistic, Edge-To-Edge Compliance with MOVEit File Transfer

PCI DSS compliance can feel like a significant amount of work when you're in an extremely sensitive industry like healthcare or finance. You have too many access privileges to juggle with, seams of cardholder data to secure (both at rest and in transit), and 12 high-level requirements to track.

Luckily, you don't have to look over your shoulder anymore, thanks to the all-powerful, highly scalable MOVEit Managed File Transfer tool. Protect stored cardholder data? Check. Build and maintain a secure network? Check. Ensure PCI compliance? Check-check. MOVEit removes the fuss, snag, and hassle out of PCI DSS compliance, making the entire process a total breeze.

MOVEit leverages secure FTP, SSL/TLS, and HTTPS to secure in-transit cardholder data at its core. When at rest, MOVEit uses the all-action MOVEit Crypto cryptographic software to store data securely. Our software also allows for the specific assignment of protocol access permissions, assignment of folder permissions, IP address restrictions, and other limited privileges. You don't have to wonder who accesses what cardholder data and when. It's all accessible at the click of a button.

And if you need to establish a secure connection through which sensitive data can move from your internal system to the outside world, MOVEit Automation has got you covered.

Think we're the right fit for you? Get started with a free trial today and let your business data change hands in the most secure, most seamless way possible!

 
 

David Perez

David Perez was the marketing manager for Progress's Managed File Transfer product, MOVEit.

Read next Managed File Transfer - What is it?