Home » Security Bloggers Network » PCI Compliant File Sharing: Essential Requirements & Effective Compliance Strategies

PCI Compliant File Sharing: Essential Requirements & Effective Compliance Strategies

by Bob Ertl on July 22, 2021

Looking for a PCI compliant file sharing solution? The risks of non-compliance are substantial, including losing the ability to accept credit card payments.

Is SFTP PCI compliant? SFTP can be PCI compliant if the security and encryption of SFTP are set at the appropriate levels. Otherwise, if the encryption standards aren’t met, your SFTP will not be PCI compliant.

PCI Compliant File Sharing Overview

PCI DSS is a framework meant to support anyone accepting payments via credit or debit cards. Enforced by a consortium of credit card processes like Visa, Mastercard and American Express, PCI DSS isn’t nationally mandated but instead an integral part of processing any credit payment.

Sponsorships Available

PCI DSS includes 12 security requirements:

Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use and regularly update anti-virus software or programs
Develop and maintain secure systems and applications
Restrict access to cardholder information by business need to know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder information
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security for all personnel

Merchants, retailers and sales outfits are often the most concerned about PCI, and other companies that accept payments but who aren’t merchants often will employ third-party payment processors who are themselves PCI compliant. Banks that issue credit cards often outsource the processing of the transactions, and require the highest levels of PCI compliance from the outsourcer.

How does this affect sharing data? Because PCI DSS protects customer data through security and risk management, this applies to any system that stores that data for payment processing for financial purposes. This can include sharing data as part of a financial transaction or the continued use of payment data to process recurring subscription services.

How to Become PCI Compliant

PCI DSS stands for Payment Card Industry Data Security Standard, and it is a set of standards created by the major credit card companies to protect their customers’ sensitive data. Becoming PCI compliant is a multistep process that requires a comprehensive review of your existing systems and processes.

The first step is to identify which payment card types you accept and how the transactions are processed. This requires an assessment of all the different parts of your system, including software, hardware, and networks. Once you know where the sensitive data is stored and how it flows through your system, you can then start to investigate which PCI DSS requirements apply.

The next step is to assess how compliant your existing systems are with the PCI DSS. This usually requires a review of all the hardware, software, and processes that are part of your system. It is important to look for any weaknesses in your system and areas where the system does not meet the requirements of the PCI DSS.

Once the review is completed, you can then start to implement any required changes to ensure that your system meets the requirements of the PCI DSS. This can range from upgrading hardware and software to implementing additional security measures, such as firewalls or encryption. You will also need to ensure that you have a data security policy in place, which outlines how you will protect customer data and how to respond to a data breach.

Once all the changes have been implemented, you will need to test and monitor them to ensure that they meet the requirements of the PCI DSS and remain as secure as possible. This is also the time to develop a regular compliance audit schedule to ensure that your system remains compliant in the future.

After you have completed all the steps you need to take to become PCI compliant, you should apply to one of the Payment Card Industry Security Standards Council’s (PCI SSC) accredited organizations. They will assess your system and issue you a Certificate of Compliance if they determine that you are compliant.

PCI Compliance and File Sharing

PCI compliance plays a noteworthy role in bolstering the integrity and security of file sharing systems. File sharing often entails jeopardizing exposure of sensitive data to unauthorized users, whether accidental (user error) or malfeasance (cyberattack), necessitating superior safeguards that go beyond standard firewall protections. PCI compliance ensures that shared data is protected from unwarranted access, thereby reducing the risk of data breaches. From transmission to storage, secure file sharing provides organizations with a more robust security framework, a necessity for demonstrating compliance.

The Role of PCI Compliance in File Sharing

Regulatory compliance, PCI compliance included, has forced file sharing software providers to fundamentally rethink file sharing protocols that now prioritize security over functionality and ease of use. Compliance introduces comprehensive controls covering encryption and key management, access control, and regular vulnerability assessments. A PCI compliant file sharing system ensures that cardholder data is stored, processed, and transmitted within a secure network. This offers reassurances to businesses, employees, and customers alike, establishing a secure communication channel for sensitive data. Structured protocols and enforced measures by PCI compliance help mitigate risks associated with digital data exchange, bolstering the integrity of file sharing systems.

PCI Compliant File Sharing Requirements

The requirements for PCI compliant file sharing systems focus on stringent security protocols. First, encryption of data at rest and in transit is mandatory, and it should meet the AES-256 standard for encryption of data at rest. Second, the PCI DSS necessitates strong user authentication and strict role-based access. Third, tracking and monitoring mechanisms must be in place to promptly detect and respond to any potential security breach. Regular network testing should be conducted to identify any vulnerabilities within the system. These measures collectively ensure that sensitive cardholder data remains secure throughout its life cycle wherever it’s stored and whenever it’s shared, particularly externally.

PCI Compliant File Sharing Challenges

PCI compliance, however, comes with its own set of unique challenges. The complexity and cost associated with building a PCI compliant infrastructure serve as a significant obstacle for many organizations, especially smaller businesses. Also, ensuring regular updates and performing systematic audits as per PCI standards can be labor-intensive and time-consuming. In addition, businesses can fall into a trap of complacency or a false sense of security after achieving PCI compliance. It’s essential therefore to understand that PCI compliance is not a one-time endeavor but an ongoing process that demands constant upkeep and periodic enhancements.

How to Achieve PCI Compliance in File Sharing

Achieving PCI compliance in file sharing is not only a requirement but a necessity for businesses, as it secures cardholder data, mitigates risk, and builds customer trust. Instituting strong security measures and practices is central to achieving this compliance. Other practical steps and strategies include:

Build and Maintain a Secure Network	Create and uphold a secure network. Install robust firewalls that regulate traffic between the public network and the internal network where sensitive data is stored. Require data encryption during transmission to protect cardholder data. Conduct regular software updates and comprehensive scanning for vulnerabilities. Segregate networks and system hardening to fortify your network. Invest in intrusion prevention systems (IPS) that further help in detecting and blocking potential threats.
Protect Cardholder Data	Cardholder data stored in files should be securely encrypted using strong cryptographic measures, ensuring it remains unreadable even if breached. Tokenization can also be utilized to replace sensitive card information with unique identification symbols, while maintaining the essential information without compromising security.
Maintain a Vulnerability Management Program	Conduct regular risk assessments to identify and rectify potential security gaps. Implement effective anti-malware and antivirus solutions to protect against malicious programs that can compromise cardholder data.
Implement Strong Access Control Measures	Restrict access to cardholder data to only authorized personnel. Create intricate password policies, implement multi-factor authentication, and establish a rigorous process for granting and revoking access rights. Adopt a principle of least privilege to minimize the number of individuals who have access to sensitive cardholder data.
Regularly Monitor and Test Networks	Regularly monitor and test networks to identify and close any security loopholes promptly. This should include regular audits of all system components, monitoring and analyzing network traffic, and conducting regular penetration testing and vulnerability assessments to identify weaknesses.
Maintain an Information Security Policy	Define roles and responsibilities, procedures for identifying and responding to potential breaches, and standards for maintaining and disposing of cardholder data. Hold regular training and awareness programs to ensure that all staff understand and adhere to these policies.

Encryption, Access Controls, and Other Requirements for PCI Compliant File Sharing Solutions

PCI DSS Encryption requirements are industry-leading safeguards that companies must implement to protect customer data and ensure safe transactions, such as credit card information.

The PCI DSS requirements for encryption are not only complex but also quite nuanced. First, the encryption must be used to protect any data classified as “sensitive authentication data”, which includes any primary account numbers (PANs) or the full magnetic stripe data of the credit or debit card. Additionally, the encryption must meet an approved industry standard, such as AES (Advanced Encryption Standard) or Triple-DES (Data Encryption Standard), which are among the most commonly used algorithms.

Encryption is also required for any data that is sent over public networks. This means that any data that is sent from one machine to another must be encrypted, as well as any merchants that want to accept payments online. All data must be encrypted when it leaves the point of origin, as well as when it reaches its destination. This includes any data that is stored on any kind of database where customers’ personal information is kept.

One of the main requirements of the PCI DSS is the use of strong access control measures. This means that a secure authentication system must be used to verify the identity of the user. It is also highly recommended that all employees that have access to the database be provided with unique tokens or passwords that must be used to access the database.

Organizations must meet several additional PCI DSS requirements beyond encryption and access controls. These include an incident response plan, bolstering network security, regular audits and security checks, and a detailed information security policy. In addition, physical security measures should be adopted to safeguard systems containing cardholder data, employee awareness training should be mandatory, and all security procedures must be properly documented.

Organizations that fail to meet these requirements could face significant fines, as well as a potential loss of customers if the data is stolen or compromised. Companies that are in the process of implementing encryption should be sure to meet all of the PCI DSS requirements to avoid any potential issues.

PCI Compliant File Sharing and Vendor Risk Management

PCI DSS is a requirement for working with major credit card companies when handling sensitive credit card data. In this case, sensitive data is credit card numbers, CVV numbers, expiration dates, information from an EMV chip or magnetic stripe and any personal data about the cardholder. While this isn’t enforced by national, state or provincial governments, credit card providers are adamant about compliance. Without compliance, you and any company handling data are subject to penalties levied by those providers. These penalties can include:

Financial penalties up to and including $100,000 per month until compliance is achieved.
Damage to your merchant account due to non-compliance, which can make it costly, if not impossible to process card payments.
The negative impact to your merchant account due to fraud or chargeback activity that isn’t caught through compliant technology standards.

These risks and penalties are outside of any legal obligations you might have to customers or the government in the event of a data breach.

These problems are still present if you are using a third-party payment processor, as they must also maintain compliance. That means any technology they use must be compliant, and any sharing of data between you and them (file transfers, file storage or file sharing) must also adhere to PCI regulations.

Can a Third-party Vendor Help With Compliance?

The short answer is yes. If you use a payment processing vendor, it can minimize your compliance load. If they are PCI DSS compliant and handle all data storage, it makes your business easier to run. Additionally, these vendors can also provide compliant services to expand your own, including secure storage for repeat payment processing or subscriptions.

However, if you are also handling customer data in conjunction with a third-party payment vendor, then you must also have compliant technology on your end as well. If you communicate with them in any way about sensitive information, like for file transfers, then both parties often use Secure FTP (SFTP) technology to do so.

SFTP isn’t enough, however. First, any SFTP server must be hardened to deter breaches, provide rigorous data access controls, and be configured to handle encrypted data per PCI requirements. Second, SFTP doesn’t include any support for the business and auditing requirements included in the PCI DSS framework. That’s why a managed file transfer (MFT) solution can help.

A third-party PCI compliant MFT vendor can provide secure storage and sharing that meets PCI while supporting the following:

Secure file sharing: This includes AES-128 or AES-256 encryption for data at-rest and TLS 1.2 or higher for data in-transit.
Audit logging: A proper audit log will provide unbroken evidence of any security event for diagnostic or prevention purposes. Likewise, this gives you additional tools to prove that you are meeting requirements during an assessment.
Firewall protection: PCI DSS requires a firewall to protect access to servers, and your MFT platform should as well, including special protections for sharing across the firewall barrier and protecting cardholder data.
Secure methods of file sharing with external users: Email is not secure and sharing information via unencrypted email breaks compliance. Secure MFT can provide real security through secure links to support easy email and file sharing using encrypted servers.

Kiteworks Helps Organizations Demonstrate PCI DSS Compliance with PCI Compliant File Sharing

The Kiteworks platform is an MFT and SFTP solution that meets the needs of any organization handling cardholder data. We understand that not all businesses deal with payments in the same way, so using our platform provides you with the peace of mind you need to focus on business operations rather than the minutiae of compliance.

With the Kiteworks platform, you can align your business and compliance strategies under one umbrella with the following features:

Security: We include secure SFTP that meets PCI DSS requirements for file transfers and storage. The virtual appliances are hardened with layers of defenses, such as embedded and tuned networks and web application firewalls, zero trust communications between internal services, architectural features to prevent data from being held in your DMZ, zero trust between services, tight default security and compliance policy controls, and others. Our systems are protected by secure firewalls with proxy tiers of interaction so that no sensitive information goes in or out.
Data and audit logging: The Kiteworks platform uses immutable audit logs so that you can demonstrate compliance and effectively manage security events whenever they occur. Track, monitor and visualize data usage on your system with our dedicated CISO Dashboard that empowers your compliance and business operations with a bird’s eye view of your information landscape. We also provide export capabilities to your existing SIEM solution, including Splunk, IBM QRadar, LogRhythm and ArcSight.
File sharing compliance: We provide secure email links to our encrypted servers so that you can share sensitive data with the right people using traditional email.

More importantly, the Kiteworks platform is secured for you so that it is PCI compliant. We require clients to set unique passwords at the start of onboarding, and we implement strong data access and authentication controls. Kiteworks also uses an OWASP secure development lifecycle with automated security testing, white box and black box testing, regular penetration testing and a continuous bounty program for unearthing vulnerabilities. Finally, we make configuring and using your system easy, without compromising compliance or security.

To learn more about PCI Compliance file sharing, schedule a custom demo of Kiteworks today.

Additional Resources