PCI-DSS (Payment Card Industry Data Security Standard) contains a couple of requirements that practically discourage organizations who handle credit card data from using FTP for their file transfers. In this post, we'll examine those requirements more closely to see what the options are for those who still find it difficult to ditch this antiquated technology.
If you really believe you can't do without FTP, this post is for you.
PCI-DSS requirements dealing with FTP
In PCI-DSS v 2.0, FTP is mentioned in two requirements: 1.1.5 and 2.2.2.
PCI-DSS requirement 1.1.5
1.1.5 requires you to document and provide business justification for the use of services, protocols, and ports allowed. It also requires you to document the security features you've implemented for those protocols considered to be insecure, FTP being one of them.
In other words, if you really have to use FTP, you need to come up with a written document (the business justification) detailing why it is absolutely necessary for your business. Before you come up with the business justification, your organization should be made aware of the vulnerabilities of FTP (e.g. usernames, passwords, and data are transmitted in plaintext) and the risks involved (e.g. credit card information may be intercepted).
If, after taking into consideration all the risks and benefits, you realise that the stakes are just too high and the possible damage far outweighs the benefits, then you should cease using it.
On the other hand, if you do find the use of FTP absolutely necessary, you should document the ports and firewall settings associated with it. This is in addition to the business justification and would serve as something to refer to during cases like audits, a change of network admins/engineers/technicians, or any other change in your organization.
But 1.1.5 doesn't end there. It further requires you to document the security features implemented to mitigate the risks on FTP file transfers, thus implying that those security features should really be in place. Actually, the implementation of those security features is explicitly stipulated in 2.2.2.
PCI-DSS requirement 2.2.2
As mentioned above, 2.2.2 is closely related to 1.1.5. It is here where you'll see PCI-DSS requiring you to implement security features on insecure services like FTP. It even mentions some of the possible secure technologies you can turn to, such as SSH and SSL.
The complete text goes like this:
"Implement security features for any required services, protocols or daemons that are considered to be insecure. For example, use secured technologies such as SSH, S-FTP, SSL, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc."
Options for compliance
So apparently, what PCI-DSS is trying to say is that, you are not prohibited from using FTP. What is prohibited is plain FTP. If you enhance the security of your FTP file transfer system using secure technologies like SSL or SSH, then you may still achieve PCI-DSS compliance.
There are already widely accepted implementations of FTP that rely on SSL and SSH for security. For SSL, there's FTPS. While for SSH, there's SFTP (though technically this is a completely different protocol than FTP). Both of these services support data encryption and server/client authentication, among other security features.
Nearly all FTP clients already support SFTP and FTPS. So all you really need is to replace your FTP server. Your best choice would be a managed file transfer server like JSCAPE MFT Server because, aside from SFTP and FTPS, it also supports other secure file transfer protocols. Not only that, it also comes with a wide range of security features that meet all the other PCI-DSS requirements that impact file transfers in general.
For a comprehensive discussion on those requirements, you might want to read:
Because it's so easy to use, file transfers via FTP remains one of the most widely used methods for sharing large files. However, PCI-DSS compliance may force you to abandon regular FTP. This post offered guidance as to what choices you had available in that regard.
We invite you to try the free fully-functional evaluation edition of JSCAPE MFT Server.