Accepting credit card payments is standard practice in most businesses. In order to protect cardholder data, any business that accepts, processes, transfers or stores credit card data must comply with the Payment Card Industry Data Security Standard (PCI DSS). Often referred to simply as “PCI,” this standard was developed by a consortium of credit card issuers to combat the continually growing threat of credit card data being compromised.
Organizations that are noncompliant with PCI DSS risk fines from credit card vendors if they’re shown to be negligent. Perhaps a more lasting consequence is the loss of consumer trust and negative PR for any company that experiences a data breach. PCI covers all forms of credit data storage, including paper copies of credit card information, but the real danger of mass exploitation is in digital storage and transfer.
The PCI DSS documentation is thorough and can be intimidating, with explicit details buried in sections and subsections of requirements. However, at a high level, PCI is simply about awareness and education. PCI requires you to have a broad and deep understanding of your enterprise’s server network, especially concerning how cardholder data travels throughout your system. A PCI-compliant system complements your enterprise’s data security.
Requirements of PCI DSS:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
As an IT professional, there are specific requirements that need to be addressed when implementing a server solution that will store, process or transfer credit card data. You should not only look at specific requirements for meeting PCI, but also at how each is implemented. Server software requirements should include:
- Integration with current network security If you use active directory for authentication, additional servers added to your environment should do the same. Maintaining different authentication databases can increase the risk of errors. For example, deleting a user in one location and not another.
- PGP encryption Many server solutions use PGP to encrypt stored data, but an important consideration is when this data gets encrypted. If data is transferred and written in an unencrypted format, and then encrypted in a second step, you are in violation of PCI, even though you are encrypting stored data. To comply with PCI DSS, your data can’t be “in the clear” at any point in its transfer. A PCI-compliant solution requires streaming PGP encryption, in which inbound data is encrypted and written to the disk in one step, never having an unencrypted version temporarily written to the disk.
- Granular permissions controls For both ease of administration and higher levels of security, permissions should be assigned at user and group levels. There should also be granularity into file operations allowed, rather than just ‘read’ and ‘write’ permissions.
- Events and automation Monitoring and responding to potential threats should be completely automated. Administrators should be able to set specific thresholds regarding Denial of Service (DoS) attacks, malformed commands and brute-force hacking attempts, and then have users or IP addresses automatically kicked off of the server and/or banned. Any server that stores credit card data should have configurable events and associated actions.
- Logging and reporting Detailed logging and reporting gives you visibility into how your data is being accessed. This is of significant importance for audits, but can also provide visibility at a variety of levels, including normal/abnormal usage patterns and trends that can assist in future resource planning.
It’s important to consider that PCI DSS is a growing standards system. It changes periodically to keep up with the constant elevation of cyber threats to credit card data. The most recent version of PCI is 3.1. Selecting a vendor who rapidly adopts that latest version of security standards helps to assure that your vendor is committed to security and compliance. For the sake of meeting your compliance mandate, it’s important to also assure that you apply product updates as soon as possible so that the most current versions of the standards are running in your organization.
PCI compliance is an ongoing commitment. For secure file transfer applications, start with a secure, enterprise class MFT server.