< All Topics

SFTP PCI DSS protocols and Ciphers

What is PCI compliance?

PCI compliance, also known as The Payment Card Industry Data Security Standard (PCI DSS), is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. There are 12 requirements to meet this security standard:

Goals PCI DSS Requirements
Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update antivirus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel

Requirements referenced from PCI Security Standards Council – PCI DSS Quick Reference Guide

Hosted~FTP~ compliance with Amazon Web Services

All of the Hosted~FTP~ infrastructure including our Amazon Web Services (AWS) file transfer SaaS infrastructure and credit card payment processing infrastructure is fully PCI compliant. Hosted~FTP~ shares the responsibility to determine the nature of the data and securely processes and stores customer data without impacting compliance in the customer’s data environment.

Hosted~FTP~ encrypts all data (including metadata) in transit, upon arrival, and at rest with 256-bit AES encryption where only the intended parties are able to access specific data based on the permissions set by the owner of the data. Using 100% AWS, Hosted~FTP~’s infrastructure is in Amazon’s list of PCI compliant services and programs. See the full list here. In addition to this compliance, Hosted~FTP~ is also fully HIPAA compliant and is audited annually. Hosted~FTP~ is completing our SOC2 T2 compliance audit for the trust principles of Security.

View the rest of our security model and compliance Here. See below for the enabled ciphers Hosted~FTP~ uses for PCI compliance with the single-tenant service.

PCI compliant ciphers

SFTP Cipher Default implementation
aes128-ctr Enabled
aes256-ctr Enabled
SFTP Key Exchange Implementation
ecdh-sha2-nistp256 Enabled
ecdh-sha2-nistp384 Enabled
ecdh-sha2-nistp521 Enabled
diffie-hellman-group-exchange-sha256 Enabled
SFTP MAC Algorithm Implementation
hmac-sha2-256 Enabled
hmac-sha2-512 Enabled
SFTP Host Key Implementation
RSA 2048 bit Enabled
FTPeS Implementation
TLSv1.2 Enabled
HTTPS Implementation
TLSv1.2 Enabled
Table of Contents