Home » Security Bloggers Network » How to Ensure Your SFTP Is PCI Compliant

How to Ensure Your SFTP Is PCI Compliant

by Vince Lau on July 29, 2021

PCI compliance with SFTP is a great start towards becoming compliant. If you are currently using FTP, you may want to consider a switch to avoid possible risks.

Is SFTP PCI compliant? Yes, SFTP can be PCI compliant. SFTP can meet PCI DSS requirements as long as certain protocols are implemented to protect credit card data being transferred.

What is PCI Compliance and Why is it Important?

PCI DSS is a compliance framework for processing payments and handling credit card and debit card information. Developed and maintained by the Payment Card Industry Security Standards Council, PCI outlines the physical, administrative and technical safeguards that retailers and merchants must abide by to process credit cards as forms of payment.

Some compliance regulations, like HIPAA and FedRAMP, are required by law for certain industries. PCI, however, doesn’t have the force of law behind it. Instead, it relies on the credit card networks to self-legislate disputes and compliance while also levying penalties like fines or revocation of payment processing capabilities.

The core focus of the framework is to ensure that customer data is protected from theft or disclosure during payment. Private customer data includes items like:

Customer names, phone numbers and addresses
Credit card numbers, expiration dates and CVC verification codes
PINs, authentication codes and any information contained on magnetic stripes or EMV chips

With that in mind, the framework defines 12 primary requirements that your organization must have in place to properly handle user data. While not all of these apply to all technologies, when it comes to filing storage and transfers there are a few critical ones, including:

Protecting stored cardholder data
Encrypting data transmissions on public networks
Tracking and monitoring all access to network and data resources
Developing and maintaining secure applications

Within the last few decades, increasingly complex technologies and shopping storefronts have changed how people buy things. Where once this kind of technology could be focused on POS machines, card scanners and on-prem servers, now consumers are shopping online, buying subscription services and using mobile devices.

Because of that, card networks now define security controls that allow merchants to process payments through online portals and mobile devices (including multi-factor authentication that leverages built-in biometrics like fingerprint scans and facial recognition). This, in turn, means that customer data is stored, transmitted and utilized in a variety of ways, including for business purposes.

PCI Compliance and SFTP security

When your business uses customer data internally for any reason, they still must abide by the payment processing rules and regulations. And, typically, businesses use PCI compliant file sharing solutions like SFTP.

Fortunately, SFTP can be a part of a PCI-compliant solution because it provides the necessary controls:

Encryption: Customer data must be encrypted in the server and during transmission. SFT provides this level of encryption (with the right configuration). With the use of SSH, a properly configured SFTP server can protect customer data.
Server Data Logging and Audits: Part of PCI compliance is having data and audit logging in place. According to PCI requirements, you must monitor data access. This includes having an audit policy and ways to trace audit logs in case of breaches.
Restricting Access to Data: Not everyone in your organization needs access to cardholder data. Regulations state that you have a way to restrict user accounts based on the data they need to access.
Standardize Connections Between Machines: Card networks expect you to have all of these safeguards (and more) present in any place where data is moving or stored. SFTP is an established, easy to use and easy to configure technology that can work between POS machines, card scanners, servers and workstations.

What’s the Difference Between SFTP and FTPS?

You may see some solutions advertise both SFTP and FTPS as part of their encryption package. Both are described as secure FTP protocols, and while these technologies share some similarities, there are also some key differences between the two:

FTPS is FTP with Secure Socket Layers (SSL) technology added. This means that you’re essentially using FTP over a secure connection (SSL) with everything that entails, including multiple separate socket connections and required passwords and certificates. It also means that FTPS may not play well with a uniquely customized firewall.
SFTP uses Secure Shell (SSH) technology for encryption. This means that SFTP isn’t just FTP with security added–it is an entirely separate method of secure file transfer than FTP. That includes the ability to transfer data over a single connection–and that means simpler adoption and integration with complex security systems that include firewalls.

Both of these protocols can be used as part of a secure and compliant system. However, when working with multiple security needs and compliance requirements, SFTP can simplify how you secure your applications and integrate them into your system.

What are the Penalties for PCI Non-Compliance?

Since PCI DSS isn’t a federally mandated framework, you’re not going to face the extreme penalties of other compliance regulations. However, non-compliance can cost you dearly and damage your reputation with customers and credit card companies. Some of the penalties are:

An Unsecured System: PCI is meant to promote system security. If you aren’t meeting the bare minimum of the compliance requirements, you could be exposing your customers’ data to theft.
Monthly Fines: If you want to process credit cards, you need the support of credit card processors like Visa, Mastercard and American Express. If you aren’t compliant, they will take a few steps before outright banning you from processing payments. This includes the levy of monthly fees so long as non-compliance lasts, up to $5,000-$100,000 per month.
Damaged Merchant Account and Customer Reputation: If you aren’t compliant, you could be facing many breaches. As we all know from examples like Target or Sony, a major breach can become a huge hit to your brand’s image. Likewise, regular non-compliance can impact your merchant account with credit card processors due to a high rate of fraud and chargebacks.

The bottom line is that you don’t want to damage your reputation or pay monthly fines just to process card data without compliant systems.

The Accellion Kiteworks Difference

The Accellion Kiteworks platform and PCI-compliant SFTP servers help you stay compliant by providing everything we just talked about security, compliance, and intelligence for business goals. Packaged into a managed file transfer solution, including content firewall, secure email and compliant technology, you can rely on our systems to support data handling and sharing across your organization. Our support features include:

Security and Compliance: Our systems enable all 12 PCI requirements, meaning that you can use our MFT and SFTP technologies (including encrypted file transfers and secure servers) for PCI-compliant file sharing and storage. Its hardened virtual appliances save you the time and effort of hardening and testing the system yourself.
Data Visibility and Management: Our CISO Dashboard gives you an overview of your data: where it is, who is accessing it, how it is being used and if it complies. Help your business leaders make informed decisions and your compliance leadership maintain regulatory requirements.
Audit Logging: PCI DSS requires logging events in your system. With the Kiteworks platform’s immutable audit logs, trust that you can detect attacks sooner and that you’re maintaining the right chain of evidence to perform forensics. Since the system merges and standardizes entries from all the components, its unified syslog and alerts save your SOC team crucial time while helping you maintain critical compliance requirements for reporting.

Discover more about Accellion SFTP and compliance features by learning about how the Kiteworks® Content Firewall is modernizing enterprise SFTP.