10 Ways PCI Compliance is Easier with MFT

Image

Complying with stringent industry requirements, such as those of PCI DSS, is not an option. It does not, however, have to be unreasonably difficult or an unwieldly task. Technology solutions, such as secure file transfer, can help shoulder some of the more tedious, repetitive, or security-centric burdens and help organizations avoid substantial industry sanctions, financial penalties, and loss of reputation. 

Why is PCI DSS Compliance Difficult? 

The Payment Card Industry Data Security Standard (PCI DSS), is the standard developed by the Payment Card Industry Security Standards Council (PCI SSC), that was enacted to help prevent cybersecurity data breaches of sensitive financial information and to help reduce fraud for those organizations handling any payment card details. 

While not technically a law, PCI DSS compliance is often added to contracts between businesses that store or process payment card transaction information. Ensuring PCI compliance can be tricky for some organizations as the requirements are complex, with 12 requirements with around 200 sub-requirements to follow.  

The requirements address topics such as network security, encryption, access control, along with vulnerability, and other security-related areas. Organizations lacking a cybersecurity team can struggle to meet and adhere to these standards. 

“Cybersecurity is a constantly moving target for organizations to address,” said Chris Bailey, Senior Product Manager, SFT, Fortra. “Those without dedicated personnel to address continual threats to their customers’ financial information are at risk of breaching PCI DSS requirements, and of negative impacts to their bottom line and reputation. Installing a robust, enterprise-level software solution that surrounds those financial information files while they are in motion in and out of the network, as well at rest, can go along was towards defending against unwanted access to highly sensitive information.”  

Related Reading: Avoid a PCI Breach; Avoid Costly Consequences 

10 ways Managed File Transfer Can Ease PCI Compliance  

Meeting all of those 12 requirements and sub-requirements is easier when organizations put the security and automation power of a secure file transfer solution to work. GoAnywhere MFT provides secure file transfer protocols, encryption, and access control to your cardholder data. Specifically, GoAnywhere can help meet the following requirements:  

1. To install and maintain a firewall configuration to protect cardholder data: By allowing for IP addresses and ports to be customized, which provides for firewall flexibility and document why connections are used. Combined with GoAnywhere Gateway, users can simplify the full separation of internal data, DMZ, and public networks.

2. To not use vendor-supplied defaults for system passwords and other security parameters: The GoAnywhere Security Settings Audit report provides a detailed list of all GoAnywhere security defaults, enabled services, and configured security features. Using HTTPS helps ensure that all administrative access is encrypted. 

   Image

   
3. To protect stored cardholder data: Sensitive files are protected at rest using strong encryption methods like AES and OpenPGP. The solution also provides cryptographic key management. To ease strain on IT resources, data retention can also be automated.
4. To encrypt the transmission of cardholder data across open public networks: GoAnywhere protects transmissions over public and private networks using secure protocols including SFTP, FTPS, AS2, AS3, AS4, and HTTPS. 
5. To use and regularly update anti-virus software or programs: GoAnywhere can run on systems with third-party anti-virus solutions. It also supports ICAP integration for external scanning and data loss prevention. This integration between GoAnywhere MFT and the Clearswift Secure ICAP Gatewaymakes detecting and stripping out active content like embedded malware, triggered executables, scripts., etc., possible, sanitizing file transfers while allowing for non-threating content to continue seamlessly.
6. To develop and maintain secure systems and applications: GoAnywhere supports change control by working in conjunction with test, QA, or development systems. This allows for easy promotion of projects from test to production while maintaining separation of duties. Project revisions are recorded, for easy rollback of changes.
7. To restrict access to cardholder data by business need-to-know: Organizations can enact role-based security so that each user only has access to the information they need.
8. To assign a unique ID to each person with computer access: GoAnywhere has full individual account management features. It can also integrate with LDAP and external RSA 2-factor authentication to satisfy all account requirements in PCI DSS.
9. To restrict physical access to cardholder data: GoAnywhere’s multi-platform and virtual environment flexibility allow organizations to run software and store data in a secure location.
10. To track and monitor all access to network resources and cardholder data: With detailed audit logs, GoAnywhere makes it easy to monitor all activity on the system. Integration with external logging solutions is also built into the solution.

On-Demand Webinar: Improving PCI DSS Compliance 

Get Ready for PCI 4.0 

The current version of PCI DSS is set to be retired March 31, 2024, when PCI DSS 4.0 becomes mandatory. Therefore, organizations should be well on their way to meeting the new requirements before then.   

According to the PCI Council, here are a few key changes to expect: 

• Firewall terminology will be updated to reference network security controls. This change supports a broader range of technology designed to meet security objectives traditionally met by firewalls. 
• Requirement 8 will be expanded to implement multi-factor authentication (MFA) for all access to the cardholder data environment. 
• More flexibility provided for how organizations demonstrate how they use different methods to achieve security objectives. 
• Targeted risk analyses will be added to allow organizations flexibility in how they define how frequently they perform certain activities, as best suited for their unique business needs and risks.