PCI Compliant File Sharing – Requirements & Compliance

Looking for a PCI compliant file sharing solution? The risks of non-compliance are substantial, including losing the ability to accept credit card payments.

Is SFTP PCI compliant? SFTP can be PCI compliant if the security and encryption of SFTP are set at the appropriate levels. Otherwise, if the encryption standards aren’t met, your SFTP will not be PCI compliant.

What Does It Mean to Be PCI DSS Compliant?

PCI DSS is a framework meant to support anyone accepting payments via credit or debit cards. Enforced by a consortium of credit card processes like Visa, Mastercard and American Express, PCI DSS isn’t nationally mandated but instead an integral part of processing any credit payment.

PCI DSS includes 12 requirements covering security, which are:

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder information by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder information
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel

Merchants, retailers and sales outfits are often the most concerned about PCI, and other companies that accept payments but who aren’t merchants often will employ third-party payment processors who are themselves PCI DSS compliant. Banks that issue credit cards often outsource the processing of the transactions, and require the highest levels of PCI compliance from the outsourcer.

How does this affect sharing data? Because PCI DSS protects customer data through security and risk management, this applies to any system that stores that data for payment processing for financial purposes. This can include sharing data as part of a financial transaction or the continued use of payment data to process recurring subscription services.

How to Become PCI Compliant

PCI DSS stands for Payment Card Industry Data Security Standard, and it is a set of standards created by the major credit card companies to protect their customers’ sensitive data. Becoming PCI DSS compliant is a multistep process that requires a comprehensive review of your existing systems and processes.

The first step is to identify which payment card types you accept and how the transactions are processed. This requires an assessment of all the different parts of your system, including software, hardware, and networks. Once you know where the sensitive data is stored and how it flows through your system, you can then start to investigate which PCI DSS requirements apply.

The next step is to assess how compliant your existing systems are with the PCI DSS. This usually requires a review of all the hardware, software, and processes that are part of your system. It is important to look for any weaknesses in your system and areas where the system does not meet the requirements of the PCI DSS.

Once the review is completed, you can then start to implement any required changes to ensure that your system meets the requirements of the PCI DSS. This can range from upgrading hardware and software to implementing additional security measures, such as firewalls or encryption. You will also need to ensure that you have a data security policy in place, which outlines how you will protect customer data and how to respond to a data breach.

Once all the changes have been implemented, you will need to test and monitor them to ensure that they meet the requirements of the PCI DSS and remain as secure as possible. This is also the time to develop a regular compliance audit schedule to ensure that your system remains compliant in the future.

After you have completed all the steps you need to take to become PCI DSS compliant, you should apply to one of the Payment Card Industry Security Standards Council’s (PCI SSC) accredited organizations. They will assess your system and issue you a Certificate of Compliance if they determine that you are compliant.

Meeting PCI DSS Encryption and Other Compliance Requirements

PCI DSS encryption requirements are industry-leading safeguards that companies must implement to protect customer data and ensure safe transactions, such as credit card information.

The PCI DSS requirements for encryption are not only complex but also quite nuanced. First, the encryption must be used to protect any data classified as “sensitive authentication data,” which includes any primary account numbers (PANs) or the full magnetic stripe data of the credit or debit card. Additionally, the encryption must meet an approved industry standard, such as AES (Advanced Encryption Standard) or Triple-DES (Data Encryption Standard), which are among the most commonly used algorithms.

Encryption is also required for any data that is sent over public networks. This means that any data that is sent from one machine to another must be encrypted, as well as any merchants that want to accept payments online. All data must be encrypted when it leaves the point of origin, as well as when it reaches its destination. This includes any data that is stored on any kind of database where customers’ personal information is kept.

One of the main requirements of the PCI DSS is the use of strong access control measures. This means that a secure authentication system must be used to verify the identity of the user. It is also highly recommended that all employees who have access to the database be provided with unique tokens or passwords that must be used to access the database.

Overall, the PCI DSS encryption requirements are essential in ensuring the security and privacy of customer information. Organizations that fail to meet these requirements could face significant fines, as well as a potential loss of customers if the data is stolen or compromised. Companies that are in the process of implementing encryption should be sure to meet all of the PCI DSS requirements to avoid any potential issues.

How Does PCI DSS Affect Relationships Between Your Business and Vendors?

PCI DSS is a requirement for working with major credit card companies when handling sensitive credit card data. In this case, sensitive data is credit card numbers, CVV numbers, expiration dates, information from an EMV chip or magnetic stripe and any personal data about the cardholder. While this isn’t enforced by national, state or provincial governments, credit card providers are adamant about compliance. Without compliance, you and any company handling data are subject to penalties levied by those providers. These penalties can include:

1. Financial penalties up to and including $100,000 per month until compliance is achieved.
2. Damage to your merchant account due to non-compliance, which can make it costly, if not impossible to process card payments.
3. The negative impact to your merchant account due to fraud or chargeback activity that isn’t caught through compliant technology standards.

These risks and penalties are outside of any legal obligations you might have to customers or the government in the event of a data breach.

These problems are still present if you are using a third-party payment processor, as they must also maintain compliance. That means any technology they use must be compliant, and any sharing of data between you and them (file transfers, file storage or file sharing) must also adhere to PCI regulations.

Can a Third-party Vendor Help With Compliance?

The short answer is yes. If you use a payment processing vendor, it can minimize your compliance load. If they are PCI DSS compliant and handle all data storage, it makes your business easier to run. Additionally, these vendors can also provide compliant services to expand your own, including secure storage for repeat payment processing or subscriptions.

However, if you are also handling customer data in conjunction with a third-party payment vendor, then you must also have compliant technology on your end as well. If you communicate with them in any way about sensitive information, like for file transfers, then both parties often use Secure FTP (SFTP) technology to do so.

SFTP isn’t enough, however. First, any SFTP server must be hardened to deter breaches, provide rigorous data access controls, and be configured to handle encrypted data per PCI requirements. Second, SFTP doesn’t include any support for the business and auditing requirements included in the PCI DSS framework. That’s why a managed file transfer (MFT) solution can help.

A third-party PCI compliant MFT vendor can provide secure storage and sharing that meets PCI while supporting the following:

1. Secure file sharing: This includes AES-128 or AES-256 encryption for data at-rest and TLS 1.2 or higher for data in-transit.
2. Audit logging: A proper audit log will provide unbroken evidence of any security event for diagnostic or prevention purposes. Likewise, this gives you additional tools to prove that you are meeting requirements during an assessment.
3. Firewall protection: PCI DSS requires a firewall to protect access to servers, and your MFT platform should as well, including special protections for sharing across the firewall barrier and protecting cardholder data.
4. Secure methods of file sharing with external users: Email is not secure and sharing information via unencrypted email breaks compliance. Secure MFT can provide real security through secure links to support easy email and file sharing using encrypted servers.

The Kiteworks Difference

The Kiteworks platform is an MFT and SFTP solution that meets the needs of any organization handling cardholder data. We understand that not all businesses deal with payments in the same way, so using our platform provides you with the peace of mind you need to focus on business operations rather than the minutiae of compliance.

With the Kiteworks platform, you can align your business and compliance strategies under one umbrella with the following features:

1. Security: We include secure SFTP that meets PCI DSS requirements for file transfers and storage. The virtual appliances are hardened with layers of defenses, such as embedded and tuned networks and web application firewalls, zero trust communications between internal services, architectural features to prevent data from being held in your DMZ, zero trust between services, tight default security and compliance policy controls, and others. Our systems are protected by secure firewalls with proxy tiers of interaction so that no sensitive information goes in or out.
2. Data and audit logging: The Kiteworks platform uses immutable audit trails so that you can demonstrate compliance and effectively manage security events whenever they occur. Track, monitor and visualize data usage on your system with our dedicated CISO Dashboard that empowers your compliance and business operations with a bird’s eye view of your information landscape. We also provide export capabilities to your existing SIEM solution, including Splunk, IBM QRadar, LogRhythm and ArcSight.
3. File sharing compliance: We provide secure email links to our encrypted servers so that you can share sensitive data with the right people using traditional email.

More importantly, the Kiteworks platform is secured for you so that it is PCI compliant. We require clients to set unique passwords at the start of onboarding, and we implement strong data access and authentication controls. Kiteworks also uses an OWASP secure development lifecycle with automated security testing, white box and black box testing, regular penetration testing and a continuous bounty program for unearthing vulnerabilities. Finally, we make configuring and using your system easy, without compromising compliance or security.

To learn more about PCI Compliance file sharing, schedule a custom demo of Kiteworks today.

Additional Resources

• Article PCI Compliance Overview: Requirements, Standards & Solutions
• Blog Post Sending PII Over Email: Security & Compliance Considerations
  
• Article The Importance of Third-party Risk Management
• Article What Is Integrated Risk Management? IRM vs. GRC vs. ERM
• Blog Post Email & PCI Compliance: How to Avoid Costly Violations