PCI Compliant File Sharing – Requirements & Compliance
Looking for a PCI compliant file sharing solution? The risks of non-compliance are substantial, including losing the ability to accept credit card payments.
Is SFTP PCI compliant? SFTP can be PCI compliant if the security and encryption of SFTP are set at the appropriate levels. Otherwise, if the encryption standards aren’t met, your SFTP will not be PCI compliant.
What Does it Mean to Be PCI DSS Compliant?
PCI DSS is a framework meant to support anyone accepting payments via credit or debit cards. Enforced by a consortium of credit card processes like Visa, Mastercard and American Express, PCI DSS isn’t nationally mandated but instead an integral part of processing any credit payment.
PCI DSS includes 12 requirements covering security, which are:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder information by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder information
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
Merchants, retailers and sales outfits are often the most concerned about PCI, and other companies that accept payments but who aren’t merchants often will employ third-party payment processors who are themselves PCI DSS compliant. Banks that issue credit cards often outsource the processing of the transactions, and require the highest levels of PCI compliance from the outsourcer.
How does this affect sharing data? Because PCI DSS protects customer data through security and risk management, this applies to any system that stores that data for payment processing for financial purposes. This can include sharing data as part of a financial transaction or the continued use of payment data to process recurring subscription services.
How Does PCI DSS Affect Relationships Between Your Business and Vendors?
PCI DSS is a requirement for working with major credit card companies when handling sensitive credit card data. In this case, sensitive data is credit card numbers, CVV numbers, expiration dates, information from an EMV chip or magnetic stripe and any personal data about the cardholder. While this isn’t enforced by national, state or provincial governments, credit card providers are adamant about compliance. Without compliance, you and any company handling data are subject to penalties levied by those providers. These penalties can include:
- Financial penalties up to and including $100,000 per month until compliance is achieved.
- Damage to your merchant account due to non-compliance, which can make it costly, if not impossible to process card payments.
- The negative impact to your merchant account due to fraud or chargeback activity that isn’t caught through compliant technology standards.
These risks and penalties are outside of any legal obligations you might have to customers or the government in the event of a data breach.
These problems are still present if you are using a third-party payment processor, as they must also maintain compliance. That means any technology they use must be compliant, and any sharing of data between you and them (file transfers, file storage or file sharing) must also adhere to PCI regulations.
Can a Third-Party Vendor Help with Compliance?
The short answer is yes. If you use a payment processing vendor, it can minimize your compliance load. If they are PCI DSS compliant and handle all data storage, it makes your business easier to run. Additionally, these vendors can also provide compliant services to expand your own, including secure storage for repeat payment processing or subscriptions.
However, if you are also handling customer data in conjunction with a third-party payment vendor, then you must also have compliant technology on your end as well. If you communicate with them in any way about sensitive information, like for file transfers, then both parties often use Secure FTP (SFTP) technology to do so.
SFTP isn’t enough, however. First, any SFTP server must be hardened to deter breaches, provide rigorous data access controls, and be configured to handle encrypted data per PCI requirements. Second, SFTP doesn’t include any support for the business and auditing requirements included in the PCI DSS framework. That’s why a managed file transfer (MFT) solution can help.
A third-party PCI compliant MFT vendor can provide secure storage and sharing that meets PCI while supporting the following:
- Secure file sharing: This includes AES-128 or AES-256 encryption for data at-rest and TLS 1.2 or higher for data in-transit.
- Audit logging: A proper audit log will provide unbroken evidence of any security event for diagnostic or prevention purposes. Likewise, this gives you additional tools to prove that you are meeting requirements during an assessment.
- Firewall protection: PCI DSS requires a firewall to protect access to servers, and your MFT platform should as well, including special protections for sharing across the firewall barrier and protecting cardholder data.
- Secure methods of file sharing with external users: Email is not secure and sharing information via unencrypted email breaks compliance. Secure MFT can provide real security through secure links to support easy email and file sharing using encrypted servers.
The Kiteworks Difference
The Kiteworks platform is an MFT and SFTP solution that meets the needs of any organization handling cardholder data. We understand that not all businesses deal with payments in the same way, so using our platform provides you with the peace of mind you need to focus on business operations rather than the minutiae of compliance.
With the Kiteworks platform, you can align your business and compliance strategies under one umbrella with the following features:
- Security: We include secure SFTP that meets PCI DSS requirements for file transfers and storage. The virtual appliances are hardened with layers of defenses, such as embedded and tuned networks and web application firewalls, zero trust communications between internal services, architectural features to prevent data from being held in your DMZ, zero trust between services, tight default security and compliance policy controls, and others. Our systems are protected by secure firewalls with proxy tiers of interaction so that no sensitive information goes in or out.
- Data and audit logging: The Kiteworks platform uses immutable audit trails so that you can demonstrate compliance and effectively manage security events whenever they occur. Track, monitor and visualize data usage on your system with our dedicated CISO Dashboard that empowers your compliance and business operations with a bird’s eye view of your information landscape. We also provide export capabilities to your existing SIEM solution, including Splunk, IBM QRadar, LogRhythm and ArcSight.
- File sharing compliance: We provide secure email links to our encrypted servers so that you can share sensitive data with the right people using traditional email.
More importantly, the Kiteworks platform is secured for you so that it is PCI compliant. We require clients to set unique passwords at the start of onboarding, and we implement strong data access and authentication controls. Kiteworks also uses an OWASP secure development lifecycle with automated security testing, white box and black box testing, regular penetration testing and a continuous bounty program for unearthing vulnerabilities. Finally, we make configuring and using your system easy, without compromising compliance or security.
To learn more about PCI Compliance file sharing, schedule a custom demo of Kiteworks today.