How MFT Supports PCI CP Compliance Through Secure File Transfers

These guidelines can have a substantial impact. Consider if an attacker wanted to steal credit card details at the source, they could infiltrate at any point in the card production and provisioning supply chain, rather than steal individual wallets or online payment codes one-by-one. Therefore, all supply chain members responsible for some part of the card production and provisioning process, as outlined above, are responsible for complying with PCI CP standards to prevent unauthorized physical or digital access to the cards. 

When a customer walks into a bank and signs up for a new account, or simply needs to replace a card, the card production and provisioning process is activated. Banks will send the customer’s credit card data to the card manufacturer, which is legally bound to follow the security mandates of PCI CP requiring segmented network environments to be in place.  

The different networks involved in the card production and provisioning process include: 

1. External Network(s) (for financial institutions): These are the networks that house customers’ sensitive financial information, sending it out to be provisioned in payment cards. 

2. DMZ (Demilitarized Zone) (for all card production/provisioning activities): All card production/provisioning activities must go through a dedicated DMZ on the vendor’s network. 

3. High Security Production Network (for printing, chip encoding, PIN generation, etc.): These include the secure management network (administration), production network (card manufacturing), and Cardholder Data Environment (CDE) network (where sensitive cardholder and authentication data are processed). 

A detailed depiction can be found below:  

The customer’s sensitive personal and financial data must be securely transferred between these isolated networks and yet must be delivered smoothly and in a timely fashion to avoid any delays in workflow.  

How GoAnywhere Helps Companies Achieve PCI CP Compliance 

Under PCI CP, vendors are required to securely transfer data via defined and documented processes. To assist in the secure exchange of files and data between various card production networks, GoAnywhere MFT provides: 

• End-to-end encryption to protect cardholder data when transferred to an external source or on the cloud-based provisioning network 

• Controlled data movement between card production networks (firewalls, DMZ, internal secure zones) with supports of network segmentation by enforcing IP allowlisting, firewall restrictions, and secure transmission channels 

• Access control of cardholder data by implementing role-based access control (RBAC) and multi-factor authentication (MFA) to restrict file access 

• Retention and deletion of cardholder data to automate secure deletion policies for stored files 

Additionally, there are two main deployment models to comply with network security requirements that enable GoAnywhere to work best within your particular workflow: 

1. Agent-based model: Deploy GoAnywhere MFT in the DMZ and GoAnywhere Agents on the other networks manage file transfers between secured environments from a console with end-to-end visibility of the file transfer flows. 

2. Full MFT-based model: Deploy GoAnywhere MFT in each network for direct, secure file processing to securely handle external file transfers while preventing direct access to internal networks.