PCI-DSS File Sharing Requirements
The Payment Card Industry Data Security Standard (PCI-DSS) is designed to help organizations keep cardholder payment information secure. This payment data can be generated from major debit, credit, prepaid, e-purse, ATM, and POS cards.
To maintain a thorough level of security protecting cardholder data, the latest PCI-DSS version specifies a number of “control objectives” to help organizations strengthen their networks and servers against the constant threat of a data breach and meet PCI-DSS file sharing requirements.
Explore four key objectives your organization should work toward to maintain compliance, and learn what actions you can take to ensure you meet these PCI-DSS file sharing requirements.
Objective: Build and Maintain a Secure Network
Today, the vast number of digital payments to a variety of companies gives hackers greater opportunity to commit financial theft. To thoroughly protect your client information, you need to constantly use a secure network that protects data from the threat of a virtual breach. To ensure your network is secure and you’re in alignment with this first objective, there are two PCI-DSS file sharing requirements you need to meet.
- Install and maintain a firewall configuration to protect cardholder data. Firewalls are essential for controlling traffic within your internal network and also detecting suspicious access attempts from external entities. To ensure your firewall is PCI-DSS compliant, you must regularly test it for effectiveness, and upgrade to meet the evolving capabilities of today’s hackers. You can also use a secure file sharing solution with a built-in firewall and advanced data protections in place.
- Don’t use vendor-supplied defaults for system passwords and other security parameters. Default passwords are the virtual Achilles’ heel of many companies’ networks, because they are unbelievably easy for a hacker to crack. If you truly want to keep your customers’ card payment information safe and meet PCI-DSS file sharing requirements, you need to first change the vendor-supplied password prior to installing the system for company use. You also need to align your new passwords with industry recommendations on safe password standards (i.e. multiple upper and lowercase character, numbers, special characters, etc.)
Objective: Protect Cardholder Data
Your customers trust your company to go to great lengths to protect their payment data. To preserve that trust and maintain your reputation for quality customer protections, you must take measures to protect cardholder data, both in transit and at rest. This PCI-DSS file sharing requirement is achieved by taking these two actions.
- Protect stored cardholder data. Simply because data is stored on your server or network does not mean it’s invulnerable to access by unauthorized entities. There are a couple of measures you can take to ensure stored data is safe. First, you can limit the amount of data you store. Regularly purge data that’s no longer needed to maximize customer protection. Also, it’s wise to use advanced encryption methods designed to withstand an attack.
- Encrypt transmission of cardholder data across open, public networks. Transferring cardholder data can also present vulnerabilities. In addition to encrypting data at rest, you should also encrypt data in transit to meet PCI-DSS file sharing requirements. Use powerful security protocols like SSL and SSH to protect data that’s being transferred. Also, secure file sharing solutions make it easy to protect this sensitive data, because these security measures are built-in.
Objective: Maintain a Vulnerability Management Program
Hacking methods used today have advanced light years beyond the methods used a decade ago, and you can expect them to become increasingly sophisticated with each passing day. So, how do businesses keep up with the constantly growing threat of a breach? Maintaining a vulnerability management program to monitor your security procedures and controls is the first step in maintaining strong protection over your customers’ card payment information. The method for doing this is a two-step process.
- Use and regularly update anti-virus software. Viruses can creep into your network in a number of ways, from suspicious links your employees click on, to cleverly drafted emails that appear legitimate. Anti-virus software is developing as fast as the viruses they protect against. By adopting the most current version of the anti-virus softwares your company uses, you stay a step ahead of the security threats to your data and meet PCI-DSS file sharing requirements. It’s also wise to educate your employees on the potential virus threats to avoid.
- Develop and maintain secure systems and applications. Many vendors, when they detect a security threat, provide their customers with patches for their solutions. Download and install these patches to ensure your applications are up-to-date with the latest security standards. You also should establish a set of standards and protocols for regularly testing and updating your security procedures. When you’re attentive to the security systems you have in place, it’s easier to detect potential issues before a serious problem arises and maintain PCI-DSS compliance.
Objective: Implement Strong Access Control Measures
Unfortunately, some threats to your customers’ data come from within. From employees with nefarious intentions to others who are simply careless with data, many breaches occur due to internal gaps in access controls. To thoroughly protect your data and meet PCI-DSS file sharing requirements, it’s essential that you implement robust access control measures. You should, at all times, know who is accessing data and for what purpose.
- Restrict access to cardholder data. When you limit access of payment data to a need-to-know basis, it’s far easier to control who is looking at data and for what purpose. You need granular controls over who has specific access to different folders and files on your computer to effectively meet PCI-DSS file sharing requirements.
- Assign a unique ID to each employee. This allows you to track who has accessed what data and when. Tracing data access is highly important when you’re trying to identify the source of a leak or data breach. It’s also wise to employ multiple forms of authentication, ensuring that who is signing in is really who they claim to be.
- Restrict physical access to cardholder data. In the same way that you restrict access to digital cardholder data, you also need to restrict physical access to this data, too. Ensure that all visitors to your data facilities are authorized, and that you keep a thorough log of visitors and their purpose for the visit. This will be crucial information in the event of an audit.
Do you have the tools and policies in place to meet these PCI-DSS file sharing requirements? The first step is adopting a file sharing solution that enables PCI-DSS compliance. An industry-best FTP solution will have all the necessary security measures built in to keep your data safe from the moment you implement it.
Learn more about how FTP Today can help you maintain PCI-DSS compliance. Download this free guide on PCI-DSS readiness today.
About Martin Horan
Founder of FTP Today and an expert in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.