PCI compliance, also known as The Payment Card Industry Data Security Standard (PCI DSS), is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. There are 12 requirements to meet this security standard:
|Goals||PCI DSS Requirements|
|Build and Maintain a Secure Network and Systems||1. Install and maintain a firewall configuration to protect cardholder data|
|2. Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect Cardholder Data||3. Protect stored cardholder data|
|4. Encrypt transmission of cardholder data across open, public networks|
|Maintain a Vulnerability Management Program||5. Protect all systems against malware and regularly update antivirus software or programs|
|6. Develop and maintain secure systems and applications|
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need to know|
|8. Identify and authenticate access to system components|
|9. Restrict physical access to cardholder data|
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data|
|11. Regularly test security systems and processes|
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security for all personnel|
Requirements referenced from PCI Security Standards Council – PCI DSS Quick Reference Guide
All of the Hosted~FTP~ infrastructure including our Amazon Web Services (AWS) file transfer SaaS infrastructure and credit card payment processing infrastructure is fully PCI compliant. Hosted~FTP~ shares the responsibility to determine the nature of the data and securely processes and stores customer data without impacting compliance in the customer’s data environment.
Hosted~FTP~ encrypts all data (including metadata) in transit, upon arrival, and at rest with 256-bit AES encryption where only the intended parties are able to access specific data based on the permissions set by the owner of the data. Using 100% AWS, Hosted~FTP~’s infrastructure is in Amazon’s list of PCI compliant services and programs. See the full list here. In addition to this compliance, Hosted~FTP~ is also fully HIPAA compliant and is audited annually. Hosted~FTP~ is completing our SOC2 T2 compliance audit for the trust principles of Security.
View the rest of our security model and compliance Here. See below for the enabled ciphers Hosted~FTP~ uses for PCI compliance with the single-tenant service.
|SFTP Cipher||Default implementation|
|SFTP Key Exchange||Implementation|
|SFTP MAC Algorithm||Implementation|
|SFTP Host Key||Implementation|
|RSA 2048 bit||Enabled|