PCI compliance, also known as The Payment Card Industry Data Security Standard (PCI DSS), is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. There are 12 requirements to meet this security standard:
Goals | PCI DSS Requirements |
Build and Maintain a Secure Network and Systems | 1. Install and maintain a firewall configuration to protect cardholder data |
2. Do not use vendor-supplied defaults for system passwords and other security parameters | |
Protect Cardholder Data | 3. Protect stored cardholder data |
4. Encrypt transmission of cardholder data across open, public networks | |
Maintain a Vulnerability Management Program | 5. Protect all systems against malware and regularly update antivirus software or programs |
6. Develop and maintain secure systems and applications | |
Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business need to know |
8. Identify and authenticate access to system components | |
9. Restrict physical access to cardholder data | |
Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data |
11. Regularly test security systems and processes | |
Maintain an Information Security Policy | 12. Maintain a policy that addresses information security for all personnel |
Requirements referenced from PCI Security Standards Council – PCI DSS Quick Reference Guide
All of the Hosted~FTP~ infrastructure including our Amazon Web Services (AWS) file transfer SaaS infrastructure and credit card payment processing infrastructure is fully PCI compliant. Hosted~FTP~ shares the responsibility to determine the nature of the data and securely processes and stores customer data without impacting compliance in the customer’s data environment.
Hosted~FTP~ encrypts all data (including metadata) in transit, upon arrival, and at rest with 256-bit AES encryption where only the intended parties are able to access specific data based on the permissions set by the owner of the data. Using 100% AWS, Hosted~FTP~’s infrastructure is in Amazon’s list of PCI compliant services and programs. See the full list here. In addition to this compliance, Hosted~FTP~ is also fully HIPAA compliant and is audited annually. Hosted~FTP~ is completing our SOC2 T2 compliance audit for the trust principles of Security.
View the rest of our security model and compliance Here. See below for the enabled ciphers Hosted~FTP~ uses for PCI compliance with the single-tenant service.
SFTP Cipher | Default implementation |
aes128-ctr | Enabled |
aes256-ctr | Enabled |
SFTP Key Exchange | Implementation |
ecdh-sha2-nistp256 | Enabled |
ecdh-sha2-nistp384 | Enabled |
ecdh-sha2-nistp521 | Enabled |
diffie-hellman-group-exchange-sha256 | Enabled |
SFTP MAC Algorithm | Implementation |
hmac-sha2-256 | Enabled |
hmac-sha2-512 | Enabled |
SFTP Host Key | Implementation |
RSA 2048 bit | Enabled |
FTPeS | Implementation |
TLSv1.2 | Enabled |
HTTPS | Implementation |
TLSv1.2 | Enabled |