PCI – or PCI DSS to use its full name – stands for Payment Card Industry Data Security Standard. It’s a data security standard applicable to all companies that process, store or transmit debit and credit card information. Essentially, any regulated organisation or merchants are required by law to maintain a secure environment for managing and controlling all payments and the related individual’s personal information.
Non-compliant data transfer of data that falls under the PCI DSS regulations will put your business at serious financial risk if discovered. Not only will the act be subject to costly penalties, but you are also open to potential expensive legal proceedings resulting from insurance claims, government regulatory bodies and payment issuers. Therefore, the benefits of having a PCI compliant file transfer solution in place should be paramount in your mindset.
Ensuring that your file transfer operations are PCI DSS compliant is not for the faint hearted. However, there are a number of disciplines that will help you and your compliance team ascertain what needs to be put in place to remain the right side of the regulations.
Create a secure configuration
Secure file transfer requires a solution that spans the corporate firewall, such as a secure FTP or web server that are located in a DMZ.
Control Access
Limiting the number of users and having strict profiling rules for passwords and access will help to prevent unintended errors and makes it more difficult for outsiders to successfully breach your file transfer solution.
Automated Transfers
Implement automated file transfers to limit human intervention. This will reduce the number of errors occurring and limit access to sensitive information.
Authentication of users and processes
Stringent user authentication ensures only a limited number of known users are able to access your file transfer solution.
Use secure protocols
Make sure that secure and proven protocols are used when transmitting any data from your servers. E.g. HTTPS or SFTP
Capture Audit data
Ensure you keep a full audit trail of all data transactions. Use audit data strategically to demonstrate comprehensive data security and regulatory compliance.
Archive encrypted files
Encrypt data files with your own master key before archiving. Archived files can be essential component in providing the business a record of information that has been transferred.
Monitor file transfers
Your file transfer solution needs to provide instant information through real time monitoring. A transfer not running on schedule or taking too long to complete could signal a security problem.
While many off the shelf managed file transfer solutions offer pre-configured disciplines that meet key PCI DSS requirements, it is up to you to ensure that it is administered properly to maintain the standards that will prevent stress and potential future security breaches.
Penetration testing
Ensure you scan for vulnerabilities. At Maytech we know our customer’s data is a vital asset and we have put in place several controls to ensure that that data is protected at all times. To aid us further in this endeavour we utilise McAfee SECURE to test our web services against 40,000+ security threats and vulnerabilities on a daily schedule. McAfee Secure certifies that we pass all of their security tests, which help protect consumers from identity theft, viruses, spyware, and other online threats. Doing the same will ensure that you and your team remain on the right side of compliance and regulations.
Author: Maytech is an ISO 27001 accredited leading provider of secure global file sharing solutions. If you’re interested in a PCI compliant data transfer, visit Maytech’s website today.
