PCI Compliant File Sharing: Essential Requirements and Effective Strategies

The importance of Payment Card Industry Data Security Standard (PCI DSS) compliance cannot be overstated, particularly against the backdrop of the current threat landscape. Cyberattacks and data breaches are daily occurrences as businesses seemingly cannot keep up with all the vulnerabilities that can compromise sensitive content. This includes credit card data.

PCI DSS plays a pivotal role in data protection by ensuring that all businesses that deal with credit card information maintain an environment that is secure. This helps in warding off potential data breaches and mitigating the risk of credit card fraud, thereby fortifying data security.

PCI DSS Compliant File Sharing Overview

PCI DSS is a framework meant to support anyone accepting payments via credit or debit cards. Enforced by a consortium of credit card processes like Visa, Mastercard and American Express, PCI DSS isn’t nationally mandated but instead an integral part of processing any credit payment.

PCI DSS includes 12 security requirements:

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder information by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder information
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel

Who Must Use PCI Compliant File Sharing?

Merchants, retailers and sales outfits are often the most concerned about PCI compliant file sharing, and other companies that accept payments but who aren’t merchants often will employ third-party payment processors who utilize PCI DSS compliant file sharing solutions. Lastly, banks that issue credit cards often outsource the processing of the transactions, and require the highest levels of PCI compliance from the outsourcer.

How does this affect sharing data? Because PCI DSS protects customer data through security and risk management, this applies to any system that stores that data for payment processing for financial purposes. This can include sharing data as part of a financial transaction or the continued use of payment data to process recurring subscription services.

How to Become PCI Compliant

Achieving PCI DSS compliance is a multi-step process that requires a comprehensive review of an organization’s existing systems and processes.

The first step to achieving PCI DSS compliance is for organizations to identify which payment card types they accept and how the transactions are processed. This requires an assessment of all systems, including software, hardware, and networks. Once you know where the sensitive data is stored and how it flows through these various systems, an organization can then start to investigate which PCI DSS requirements apply.

The next step is to assess just how compliant existing systems are with PCI DSS. This usually requires a review of all the hardware, software, and processes that are involved in the process of credit card data. It is important for organizations to look for any weaknesses in these systems and areas where the system does not meet PCI DSS requirements.

Once the review is completed, organizations can then start to implement any required changes to ensure that the systems meet PCI DSS requirements. This can range from upgrading hardware and software to implementing additional security measures, such as firewalls or encryption. Organizations will also need to ensure they have a data security policy in place, which outlines how the business will protect customer data and how they will respond to a data breach involving customer and credit card data.

Once all the changes have been implemented, organizations will need to test and monitor them to ensure that they meet PCI DSS requirements and remain as secure as possible. This is also the time to develop a regular compliance audit schedule to ensure that systems remain compliant in the future.

After an organization has completed all these steps to become PCI DSS compliant, they should apply to one of the Payment Card Industry Security Standards Council’s (PCI SSC) accredited organizations. These organization have been officially recognized and certified by the PCI SSC for their adherence to the stringent security standards set for handling payment card information.

They typically offer services related to PCI DSS compliance, which may include consulting, auditing, and providing technology solutions. These services help businesses to minimize their risk of data breaches and other security incidents involving payment card data. Accredited organizations are also authorized to provide official PCI DSS training and certification, making them key contributors to the overall efforts of the PCI SSC to enhance global payment card data security.

They will assess your system and issue a Certificate of Compliance if they determine that an organization is compliant.

Encryption, Access Controls, and Other Requirements for PCI Compliant File Sharing Solutions

PCI DSS compliant encryption is an industry-leading safeguard that companies must implement to protect customer data and ensure safe transactions, such as credit card information.

The PCI DSS requirements for encryption are not only complex but also quite nuanced. First, the encryption must be used to protect any data classified as “sensitive authentication data,” which includes any primary account numbers (PANs) or the full magnetic stripe data of the credit or debit card. Additionally, the encryption must meet an approved industry standard, such as AES (Advanced Encryption Standard) or Triple-DES (Data Encryption Standard), which are among the most commonly used algorithms.

Encryption is also required for any data that is sent over public networks. This means that any data that is sent from one machine to another must be encrypted, as well as any merchants that want to accept payments online. All data must be encrypted when it leaves the point of origin, as well as when it reaches its destination. This includes any data that is stored on any kind of database where customers’ personal information is kept.

Another pivotal requirement for PCI compliant file sharing solutions is the use of strong access control measures. This means that a secure authentication system must be used to verify the identity of the user. It is also highly recommended that all employees who have access to the database be provided with unique tokens or passwords that must be used to access the database.

Overall, the PCI DSS encryption and access control requirements are essential in ensuring the security and privacy of customer information. Organizations that fail to meet these requirements risk significant fines, as well as a potential loss of customers if the data is stolen or compromised. Companies that are in the process of implementing encryption and access controls should be sure to meet all of the PCI DSS requirements to avoid any potential issues.

PCI Compliant File Sharing and Vendor Risk Management

PCI DSS compliance is a requirement for any organization handling sensitive credit card data. This data includes credit card numbers, CVV numbers, expiration dates, information from an EMV chip or magnetic stripe and any personal data about the cardholder. Organizations that fail to secure this data are subject to several, costly penalties including, but not limited to:

1. Financial penalties up to and including $100,000 per month until compliance is achieved.
2. Damage to an organization’s merchant account due to non-compliance, which can make it costly, if not impossible, to process card payments.
3. Increased fraud or chargeback activity that isn’t flagged or stopped by PCI compliant technology standards.
4. Civil or criminal litigation and settlement stemming from an organization’s failure to protect this data in the event of a data breach.

Organizations that utilize a a third-party payment processor are not immune from PCI compliance requirements; they must also maintain compliance. That means any technology they use must be compliant, and any data sharing (file transfers, file storage or file sharing) between an organization and a third-party payment processor must also adhere to PCI regulations.

Include Third-party Vendors in Your PCI File Sharing Compliance Efforts

Using a third-party payment processor can minimize your compliance load. If they are PCI compliant and handle all data storage, it makes your business easier to run.

A third-party payment processor can significantly help in your PCI DSS (Payment Card Industry Data Security Standard) compliance efforts in several ways:

1. Security Measures: These service providers have strong security measures in place to protect cardholder data. They adhere to a set of security standards dictated by the PCI Council, hence reducing the risk of data breaches.
2. Outsourcing Payment Processing: By outsourcing your payment processing, you shift most of the responsibility of handling sensitive cardholder data to these processors. This means that your own system doesn’t have to handle or store sensitive information, reducing your exposure and risk.
3. Compliance Assistance: These third-party payment processors can provide guidance and support in navigating through the PCI DSS compliance process. They can offer useful advice on how to secure your transactions and assist in completing the necessary annual audits or Self-Assessment Questionnaires (SAQs).
4. Reducing Scope: Utilizing a third-party processor can significantly reduce your PCI DSS scope. Depending on their service model, you may be able to completely eliminate the handling of sensitive credit card data. This can lead to less complex and costly security audits.
5. Regular Updates: Payment processors regularly update their systems to comply with the most recent PCI DSS standards and internet security protocols. This helps you remain current with compliance requirements without the need for significant internal resources.
6. Fraud Detection: Many third-party payment processors have robust fraud detection and prevention mechanisms, further securing transactions and protecting you and your customers.

Remember, using a third-party payment processor does not relieve your organization entirely from PCI DSS compliance responsibilities. You’re still required to ensure that the payment processor is PCI compliant and to validate this compliance annually.

You must also have compliant technology on your end as well. If, for example, you exchange sensitive information via a file transfer solution like SFTP, then both parties must use an SFTP solution that is PCI compliant.

Any SFTP server must be hardened to deter breaches, provide rigorous data access controls, and be configured to handle encrypted data per PCI requirements. Second, SFTP doesn’t include any support for the business and auditing requirements included in the PCI DSS framework. That’s why a PCI compliant managed file transfer (MFT) solution may be a better fit.

A third-party PCI compliant MFT vendor can provide secure storage and sharing that meets PCI compliance requirements while supporting the following:

1. Secure file sharing: This includes AES-128 or AES-256 encryption for data at-rest and TLS 1.2 or higher for data in-transit.
2. Audit logging: A proper audit log will provide unbroken evidence of any security event for diagnostic or prevention purposes. Likewise, this gives you additional tools to prove that you are meeting requirements during an assessment.
3. Firewall protection: PCI DSS requires a firewall to protect access to servers, and your MFT platform should as well, including special protections for sharing across the firewall barrier and protecting cardholder data.
4. Secure methods of file sharing with external users: Email is not secure and sharing information via unencrypted email breaks compliance. Secure MFT can provide real security through secure links to support easy email and file sharing using encrypted servers.

Kiteworks Helps Organizations Achieve PCI Compliance with PCI Compliant File Sharing

The Kiteworks Private Content Network consolidates third-party communication channels, including email, file sharing, MFT, and SFTP so organizations control, protect, and monitor all file activity involving cardholder data and other sensitive information.

With Kiteworks, you can align your business and compliance strategies under one umbrella with the following features:

1. Hardened Virtual Appliance: Kiteworks functions as a hardened virtual appliance, protected by layers of defenses, such as embedded and tuned networks and web application firewalls, zero trust communications between internal services, architectural features to prevent data from being held in your DMZ, zero trust between services, tight default security and compliance policy controls, and others. Our systems are protected by secure firewalls with proxy tiers of interaction so that no sensitive information goes in or out.
2. Audit logs: The Kiteworks platform uses immutable audit logs so that you can demonstrate compliance and effectively manage security events whenever they occur. Track, monitor and visualize data usage on your system with our dedicated CISO Dashboard that empowers your compliance and business operations with a bird’s eye view of your information landscape. We also provide export capabilities to your existing SIEM solution, including Splunk, IBM QRadar, LogRhythm and ArcSight.
3. Access Controls: Kiteworks empowers system administrators to apply and enforce granular access controls to ensure only authorized users (internal and external) have access to sensitive content. Administrators can set role-based permissions like edit, download, and view only, as well as set file and folder expiration dates to ensure sensitive content remains protected and accessible for only as long as it’s needed.

To learn more about Kiteworks and how it helps global businesses achieve PCI Compliant file sharing, schedule a custom demo today.

Additional Resources

• Article PCI Compliance Overview: Requirements, Standards & Solutions
• Blog Post Sending PII Over Email: Security & Compliance Considerations
  
• Article The Importance of Third-party Risk Management
• Article What Is Integrated Risk Management? IRM vs. GRC vs. ERM
• Blog Post Email & PCI Compliance: How to Avoid Costly Violations