Protect cardholder data: PCI DSS compliance guide

In the highly regulated financial services industry, it's crucial to maintain compliance with information security standards. Doing so establishes trustworthiness, mitigates data security risks and prevents costly fines and penalties stemming from non-compliance. One of the most important standards in this sector is the Payment Card Industry Data Security Standard (PCI DSS), which lays out an extensive framework of requirements to safeguard the storage, processing and transmission of payment card data.

Because file transfer workflows typically involve numerous interconnected systems, protocols and processes, financial institutions often need to integrate their file transfer software with multiple cybersecurity tools to meet PCI DSS compliance requirements. This often results in an overly complex, costly and inefficient solution.

JSCAPE by Redwood simplifies this challenge by consolidating multiple solutions for several PCI DSS requirements into a single platform — JSCAPE Managed File Transfer (MFT). Before we go into the details, let's review what PCI DSS compliance means.

Overview of PCI DSS compliance

PCI DSS is a global framework designed to protect debit and credit card data. Established by the Payment Card Industry Security Standards Council (PCI SSC), which includes major card brands such as Visa, Mastercard, American Express, Discover and JCB, it sets security requirements for issuers, mechants, processors, acquirers and other service providers handling account data.

In the context of PCI DSS, account data refers to cardholder data and sensitive authentication data. To elaborate, cardholder data includes the following:

• Primary Account Number (PAN): Commonly known as the credit card or debit card number
• Cardholder name: Name of the person who owns the card
• Expiration date: Date when the card is no longer usable
• Service code: Three or four-digit value found in the magnetic stripe, after the expiration date

Sensitive authentication data, on the other hand, includes the following:

• Full track data: Magnetic-stripe data or its equivalent on a chip
• Card verification code: Three or four-digit value, often referred as CAV2, CVC2, CVN2, CVV2 or CID
• PINs/PIN blocks: The card owner's personal identification number

Although PCI DSS is often associated with the financial services industry, it applies to any organization handling account data. This includes e-commerce businesses, retailers, healthcare providers and many others.

To protect cardholder information, covered organizations must comply with PCI DSS by implementing strong security measures as specified in the PCI DSS requirements. Compliance validation is conducted through a Qualified Security Assessor (QSA), by completing a self-assessment questionnaire (SAQ) or other approved methods.

By being PCI DSS compliant, businesses handling payment card transactions demonstrate a strong commitment to information security. This not only reduces the risk of data breaches and fraudulent activities, but also strengthens customer trust.

PCI DSS 4.0, the current version, is composed of 12 principal requirements:

1. Install and maintain network security controls
2. Apply secure configurations to all system components
3. Protect Stored Account Data
4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
5. Protect All Systems and Networks from Malicious Software
6. Develop and Maintain Secure Systems and Software
7. Restrict Access to System Components and Cardholder Data by Business Need to Know
8. Identify Users and Authenticate Access to System Components
9. Restrict Physical Access to Cardholder Data
10. Log and Monitor All Access to System Components and Cardholder Data
11. Test Security of Systems and Networks Regularly
12. Support Information Security with Organizational Policies and Programs

Each of these principal requirements, in turn, consist of more detailed security requirements. To illustrate how JSCAPE simplifies PCI DSS compliance, we'll highlight key security requirements that impact file transfer environments. Immediately after each requirement, we'll explain how you can meet it using JSCAPE.

How JSCAPE helps you achieve PCI DSS compliance

Before diving into specific requirements, allow us to give you an overview of JSCAPE's security competencies and its commitment to helping organizations achieve regulatory compliance. As a leading software vendor in the MFT space, JSCAPE holds industry-recognized certifications, including ISO 27001 and SOC 2.

Its main MFT product, JSCAPE MFT Server — which is now also offered as a cloud-based SaaS service, JSCAPE MFTaaS — is an advanced MFT solution. It enables secure and automated file transfers through an array of security and low-code/no-code automation features.

As you'll soon see in the next section, JSCAPE MFT's extensive selection of security features make it fully capable of supporting stringent information security policy and compliance programs. Aside from PCI DSS, companies have also been using JSCAPE MFT to comply with other data privacy and protection laws and regulations as well. This includes:

• HIPAA (Health Insurance Portability and Accountability Act)
• GDPR (General Data Protection Regulation)
• GLBA (Gramm-Leach-Bliley Act)
• SOX (Sarbanes-Oxley Act)
• CCPA (California Consumer Privacy Act)
• FISMA (Federal Information Security Management Act)

While JSCAPE MFT is recognized for its robust security capabilities, JSCAPE's dedication to security doesn't end there. Security is deeply integrated into every every stage of JSCAPE's software development lifecycles. Its application security initiatives include manual penetration tests, static application security testing (SAST), software composition analysis (SCA), dynamic application security testing (DAST), architecture reviews and ongoing assessments.

JSCAPE takes zero-day vulnerabilities seriously, and have clear policies in place for addressing vulnerabilities as soon as they're discovered. This includes timely patching, communication and team mobilization. These initiatives help ensure that every JSCAPE product is protected throughout development and even after deployment.

File transfer-related PCI DSS requirements and how JSCAPE helps you meet them

Let's now discuss some of the key PCI DSS compliance requirements that directly affect file transfer environments. It's worth noting, not all PCI DSS requirements impact file transfers. For instance, principal requirement 9, which deals with physical access security, doesn't directly impact file transfers. Hence, we'll be omitting it.

That said, here are some key PCI DSS 4.0 file transfer-related requirements along with some explanations detailing how JSCAPE helps you meet them.

Requirement 4.2.1

When PANs are transmitted over open, public networks like the internet, they must be protected by strong cryptography and security protocols. This is meant to prevent threat actors from intercepting and stealing data during your file transfers, especially in less secure networks.

How JSCAPE helps you meet Requirement 4.2.1

JSCAPE MFT supports several encrypted file transfer protocols, such as:

• SSH File Transfer Protocol (SFTP),
• File Transfer Protocol over SSL/TLS (FTPS),
• Hypertext Transfer Protocol Secure and
• Applicability Statement 2 (AS2).

Every transmission of cardholder data through any of these protocols is protected by data-in-transit encryption. In addition, JSCAPE MFT allows you to equip these protocols with strong cryptographic algorithms, like AES 256, to ensure even greater protection during transmission.

Requirement 3.5.1

PANs must be rendered unreadable anywhere it is stored. This requirement is designed to protect stored PANs from threat actors who, for some reason, are able to access your storage systems. Most businesses use some form of data-at-rest encryption to meet this requirement.

How JSCAPE helps you meet Requirement 3.5.1

JSCAPE supports PGP encryption, an encryption technology that secures data at rest. You can set it up so that files are automatically encrypted as soon as they're uploaded to your MFT environment. They remain encrypted while stored. In addition, JSCAPE also supports AWS server-side encryption through either AES-256 S3 encryption or KMS S3 encryption. You can use either option to encrypt files you store on the AWS cloud.

Here are some tutorials showing how you can configure JSCAPE MFT to automatically apply PGP encryption on uploaded files before storing them:

• How to automatically PGP-encrypt a file upon upload using triggers
• How to PGP-encrypt every single file uploaded by a specific user
• PGP-encrypting every single file uploaded by members of a group

Requirement 8.2.1

All users must be assigned a unique ID before they are granted access to system components or cardholder data. Assigning a unique ID to each user enables you to trace user actions and establish accountability. It's also a prerequisite for establishing access controls, as discussed in Requirement 7.2.2 below.

How JSCAPE helps you meet Requirement 8.2.1

By design, each user account created on JSCAPE MFT is associated with a single person. When you create a new user, you'll be asked to fill out fields for the person's name, login name, email address and phone number, among others. No two users can have the same login name, so this can serve as a unique ID.

Requirement 8.3.1

All user and administrative access to system components must be authenticated through at least one of the following authentication factors:

• Something you know, such as a password or passphrase
• Something you have, such as a token device or smart card
• Something you are, such as a biometric element

When used in conjunction with unique IDs, an authentication factor provides robust data protection. It prevents hackers, malicious insiders and other threat actors from taking over user accounts and gaining unauthorized access to cardholder data.

How JSCAPE helps you meet Requirement 8.3.1

JSCAPE MFT supports all three authentication factors through built-in functionality and its extensive support for a wide range of authentication options. JSCAPE MFT provides the following options:

• Domain User Authentication
• Database Authentication
• Database Query Authentication
• LDAP Authentication
• LDAP Query Authentication
• LDAP Filter Grammar
• NTLM Authentication
• PAM Authentication
• RADIUS Authentication

Not only that, it also supports custom authentication and multi-factor authentication (MFA). MFA allows you to combine different authentication factors and implement much stronger authentication.

Requirement 7.2.2

Users, including privileged users (e.g., server administrators) must be granted access based on their job classification and function. Additionally, they should be assigned only the least privileges necessary to fulfill their duties. Implementing strong access control measures, such as least privilege access, minimizes security breaches. For instance, if a user doesn't require access to cardholder data to perform their job, they shouldn't be granted access. This prevents them from performing actions that could violate PCI standards.

How JSCAPE helps you meet Requirement 7.2.2

JSCAPE MFT enables you to implement role-based access control (RBAC), which is a type of access control that restricts file and folder access based on predefined user roles. It also allows you to implement the principle of least privileges. This can be done using user groups. You can also apply a similar configuration for privileged MFT users with administrative roles. You can even get more granular in delegating administrative privileges using administrative tags.

Requirements 11.3.1 and 11.3.2

External and internal vulnerability scans must be conducted regularly. These requirements are in line with vulnerability management best practices. They're designed to identify, prioritize and address any vulnerabilities that might be exploited by threat actors.

How JSCAPE helps you meet Requirements 11.3.1 and 11.3.2

As mentioned in the downloadable guide, “How to secure file transfers in the breach era,” JSCAPE conducts exhaustive annual external and internal penetration (PEN) tests and vulnerability scans to ensure product security.

You, as a covered entity, must still conduct your own regular scans and address any vulnerabilities found. In fact, your external vulnerability scans must be performed by a PCI Security Standards Council Approved Scanning Vendor (ASV). However, by leveraging JSCAPE's PEN tests and scans, you can supplement your efforts with additional layers of proactive vulnerability detection and mitigation.

Requirement 5.2.1

An anti-malware solution must be deployed on all system components. Since file transfer systems typically handle hundreds of thousands or even millions of files, they are highly susceptible to malware infiltration. An anti-malware or anti-virus software can address this threat.

How JSCAPE helps you meet Requirement 5.2.1

JSCAPE MFT seamlessly integrates with Internet Content Adaptation Protocol (ICAP) antivirus servers, which can handle the malware scanning in its stead. By offloading virus scanning operations to an ICAP server, you can reduce the risk of malware infection while also avoiding the performance issues associated with local scanning.

Requirement 1.4.4

System components that store cardholder data must not be directly accessible from untrusted networks. When you store cardholder data where it can be directly accessed from the internet, you expose it to external threats.

How JSCAPE helps you meet Requirement 1.4.4

JSCAPE also provides JSCAPE MFT Gateway, a reverse proxy that supports DMZ streaming. It's a process that:

1. Allows external users to request files through MFT Gateway,
2. Retrieves the files from a JSCAPE MFT Server instance deployed in your internal network and
3. Streams them directly to the user. None of the files are stored on the DMZ.

In case you're not familiar with the term, a DMZ (Demilitarized Zone) is a network segment that acts as a buffer between internal networks and the internet. It uses firewalls to restrict inbound and outbound traffic. You would typically deploy your JSCAPE MFT Gateway instance on your DMZ, where it can act as an intermediary between your external users and your internally-deployed JSCAPE MFT Server instance.

That way, those users don't directly connect with your JSCAPE MFT Server, where, presumably, your cardholder data is stored.

Requirement 1.4.5

Limit disclosure of internal IP addresses and routing information to authorized parties. This requirement prevents hackers from knowing you internal IP addresses and using them to deduce internal network structures, identify vulnerabilities, and carry out targeted attacks.

How JSCAPE helps you meet Requirement 1.4.5

By deploying JSCAPE MFT Server and JSCAPE MFT Gateway as described above, you can provide external users access to files in your internally-deployed MFT server without revealing any internal IP address. As a reverse proxy, JSCAPE MFT Gateway listens for file transfer requests at its external IP address. External users will only connect to this IP address, and not the IP address of your MFT server.

This is by no means an exhaustive list, but JSCAPE definitely helps you meet most, if not all, file transfer-related PCI DSS requirements. If there's a specific requirement you want to inquire about, do contact us. A representative will be ready to answer any questions you might have.

Conclusion

JSCAPE provides a comprehensive solution for organizations seeking to achieve and maintain PCI DSS compliance in their file transfer operations. Through its robust security features, which include strong encryption protocols, role-based access controls, multiple authentication options and anti-malware solutions, among many others, JSCAPE consolidates several compliance requirements into a single, easy-to-manage platform.

The combination of JSCAPE MFT Server and MFT Gateway provides external users and trading partners easy and secure access to cardholder data, without revealing critical information about your internal network.

Beyond the technical capabilities of its MFT solutions, JSCAPE's commitment to security is evident in its developmental practices, regular security testing and swift vulnerability management. JSCAPE offers not just a file transfer solution, but also a highly advanced and secure platform that simplifies compliance with PCI DSS and other regulatory standards.