What is PCI compliance? #
PCI compliance, also known as The Payment Card Industry Data Security Standard (PCI DSS), is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. There are 12 requirements to meet this security standard:
| Goals | PCI DSS Requirements |
| Build and Maintain a Secure Network and Systems | 1. Install and maintain a firewall configuration to protect cardholder data |
| 2. Do not use vendor-supplied defaults for system passwords and other security parameters | |
| Protect Cardholder Data | 3. Protect stored cardholder data |
| 4. Encrypt transmission of cardholder data across open, public networks | |
| Maintain a Vulnerability Management Program | 5. Protect all systems against malware and regularly update antivirus software or programs |
| 6. Develop and maintain secure systems and applications | |
| Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business need to know |
| 8. Identify and authenticate access to system components | |
| 9. Restrict physical access to cardholder data | |
| Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data |
| 11. Regularly test security systems and processes | |
| Maintain an Information Security Policy | 12. Maintain a policy that addresses information security for all personnel |
Requirements referenced from PCI Security Standards Council – PCI DSS Quick Reference Guide
Hosted~FTP~ compliance with Amazon Web Services #
All of the Hosted~FTP~ infrastructure including our Amazon Web Services (AWS) file transfer SaaS infrastructure and credit card payment processing infrastructure is fully PCI compliant. Hosted~FTP~ shares the responsibility to determine the nature of the data and securely processes and stores customer data without impacting compliance in the customer’s data environment.
Hosted~FTP~ encrypts all data (including metadata) in transit, upon arrival, and at rest with 256-bit AES encryption where only the intended parties are able to access specific data based on the permissions set by the owner of the data. Using 100% AWS, Hosted~FTP~’s infrastructure is in Amazon’s list of PCI compliant services and programs. See the full list here. In addition to this compliance, Hosted~FTP~ is also fully HIPAA compliant and is audited annually. Hosted~FTP~ is completing our SOC2 T2 compliance audit for the trust principles of Security.
View the rest of our security model and compliance Here. See below for the enabled ciphers Hosted~FTP~ uses for PCI compliance with the single-tenant service.
PCI compliant ciphers #
| SFTP Cipher | Default implementation |
| aes128-ctr | Enabled |
| aes256-ctr | Enabled |
| SFTP Key Exchange | Implementation |
| ecdh-sha2-nistp256 | Enabled |
| ecdh-sha2-nistp384 | Enabled |
| ecdh-sha2-nistp521 | Enabled |
| diffie-hellman-group-exchange-sha256 | Enabled |
| SFTP MAC Algorithm | Implementation |
| hmac-sha2-256 | Enabled |
| hmac-sha2-512 | Enabled |
| SFTP Host Key | Implementation |
| RSA 2048 bit | Enabled |
| FTPeS | Implementation |
| TLSv1.2 | Enabled |
| HTTPS | Implementation |
| TLSv1.2 | Enabled |
