PCI Compliant MFT Solutions | Requirements & Options

Looking for a PCI compliant MFT solution? We’ll walk you through the requirements of PCI DSS and your options for becoming PCI compliant.

Who needs to be PCI compliant? Any business or organization that processes, handles or stores credit card data, physically or digitally, must be PCI DSS compliant. This means there must be specific protocols in place to protect this data if an attack occurs.

What is PCI DSS and How Does it Impact MFT Implementation?

PCI DSS is a framework that protects customer financial data, specifically credit card payment information, against theft and fraud. As we move into an increasingly digital and online shopping culture, credit card information is used for almost any purchase. But even for brick-and-mortar storefronts, it’s critical that technical safeguards be in place to protect that data either directly at the point of sale or if that information is stored in a server.

PCI breaks down compliance into 12 key requirements, which include:

1. Install and maintain a firewall configuration to protect cardholder information
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder information
4. Encrypt transmission of cardholder information across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder information by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder information
10. Track and monitor all access to network resources and cardholder information
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel

When it comes to managed file transfer or MFT, any server or data transmission must meet the above 12 requirements as it applies to the handling of the customer’s data. That means that whenever information is stored or transferred as part of an MFT solution, the underlying physical, technical and administrative controls must be in place. This includes safeguards like:

1. Data encryption for data-at-rest and in-transit, including AES-128 or AES-256 for data in a server and TLS 1.2 or better for data-in-transit.
2. Access controls, including secure authorization and identity access management (IAM).
3. Data controls, including data management and audit logging.
4. Administrative training around handling and storing consumer data.

There are also several layers of data and user management requirements to stay compliant, which can prove to be a huge challenge for businesses who aren’t prepared.

What are the Benefits of Using an MFT Platform?

That being said, PCI compliance is not a reason to get cold feet about using advanced business tech like MFT. Just the opposite, actually: there are several features in advanced MFT platforms that can help you with compliance and security. That’s because effective MFT solutions contain features like:

1. Batch file transfers: Typically, simple file transfer solutions handle peer-to-peer transactions. Technologies like FTP, SFTP and FTPS are great for transfers, depending on what you need to accomplish, and usually serve as the backbone of MFTs.
2. Information visibility and access management: Some PCI-compliant solutions include information management controls and dashboards to help you track where your data is and how it is being used. This helps with both compliance and business goals.
3. Security and compliance: From encrypted transmissions and servers to IAM and meaningful audit logs, MFT can be the bedrock of your operations while maintaining your compliance requirements.
4. Audit logs: As mentioned before, audit logs are an important part of compliance. A PCI-compliant MFT solution can help you offload the need to manage immutable audit trails and documentation across your organization.

As you can see, MFT isn’t just a business technology, but a compliance one as well.

How Does MFT Align PCI Compliance and Business Goals?

PCI compliance isn’t simply a hoop to jump through. It can help guide your operations and your partnerships to drive better decision-making and security practices. There are a few reasons why this is the case:

• Retailers and merchants rely on hundreds and thousands of payments per day, and those payments need to be secure and seamless between customers, processors and banks. That means that at some point you’ll need to streamline payment information through your servers, and you’ll want to have equally seamless and compliant technology in place.
• In the front, where the customers are, POS systems need to be secure, and employees need to be trained in privacy practices. In the back, email services, file transfer servers and user access need to remain compliant while also providing flexible and scalable business features. A PCI-compliant MFT solution can ground compliance in security systems so that you can do things like using secure links in PCI-compliant email or transmitting payment information for recurring payments.
• Managed File Transfer, combining batch file transfer and storage, information intelligence and security management helps bring both of these areas together. The truth is that when you have a bird’s eye view of your data, you can build a strategy that mobilizes both your compliance and security efforts as well as your business operations. Better security, and more advanced payment technology, can open up several new business opportunities. This includes things like subscription services and recurring payments, as well as payments in places like mobile apps, online portals and app stores.

It’s difficult for organizations to field an in-house payment and file management infrastructure, which is why many are turning to third-party vendors to pick up their payment and security efforts. Accordingly, an MFT partner can enable this infrastructure without worrying about security and compliance. Having an MFT partner to handle compliance and business strategies can empower you to have this infrastructure without having to worry about breaking compliance.

The Accellion Difference

The Accellion Kiteworks platform and PCI-compliant SFTP servers help you stay compliant by providing everything we just talked about security, compliance, and intelligence for business goals. Packaged into a managed file transfer solution, including content firewall, secure email and compliant technology, you can rely on our systems to support data handling and sharing across your organization. Our support features include:

1. Security and Compliance: Our systems enable all 12 PCI requirements, meaning that you can use our MFT and SFTP technologies (including encrypted file transfers and secure servers) for PCI-compliant file sharing and storage. Its hardened virtual appliances save you the time and effort of hardening and testing the system yourself.
2. Data Visibility and Management: Our CISO Dashboard gives you an overview of your data: where it is, who is accessing it, how it is being used and if it complies. Help your business leaders make informed decisions and your compliance leadership maintain regulatory requirements.
3. Audit Logging: PCI DSS requires logging events in your system. With the Kiteworks platform’s immutable audit logs, trust that you can detect attacks sooner and that you’re maintaining the right chain of evidence to perform forensics. Since the system merges and standardizes entries from all the components, its unified syslog and alerts save your SOC team crucial time while helping you maintain critical compliance requirements for reporting.

Read more on how to to learn more about MFT for PCI compliance.

*** This is a Security Bloggers Network syndicated blog from Cyber Security on Security Boulevard – Kiteworks authored by Robert Dougherty. Read the original post at: https://www.kiteworks.com/pci-compliance/pci-compliant-mft/