In the highly regulated financial services industry, it's crucial to maintain compliance with information security standards. Doing so establishes trustworthiness, mitigates data security risks and prevents costly fines and penalties stemming from non-compliance. One of the most important standards in this sector is the Payment Card Industry Data Security Standard (PCI DSS), which lays out an extensive framework of requirements to safeguard the storage, processing and transmission of payment card data.
Because file transfer workflows typically involve numerous interconnected systems, protocols and processes, financial institutions often need to integrate their file transfer software with multiple cybersecurity tools to meet PCI DSS compliance requirements. This often results in an overly complex, costly and inefficient solution.
JSCAPE by Redwood simplifies this challenge by consolidating multiple solutions for several PCI DSS requirements into a single platform — JSCAPE Managed File Transfer (MFT). Before we go into the details, let's review what PCI DSS compliance means.
PCI DSS is a global framework designed to protect debit and credit card data. Established by the Payment Card Industry Security Standards Council (PCI SSC), which includes major card brands such as Visa, Mastercard, American Express, Discover and JCB, it sets security requirements for issuers, mechants, processors, acquirers and other service providers handling account data.
In the context of PCI DSS, account data refers to cardholder data and sensitive authentication data. To elaborate, cardholder data includes the following:
Sensitive authentication data, on the other hand, includes the following:
Although PCI DSS is often associated with the financial services industry, it applies to any organization handling account data. This includes e-commerce businesses, retailers, healthcare providers and many others.
To protect cardholder information, covered organizations must comply with PCI DSS by implementing strong security measures as specified in the PCI DSS requirements. Compliance validation is conducted through a Qualified Security Assessor (QSA), by completing a self-assessment questionnaire (SAQ) or other approved methods.
By being PCI DSS compliant, businesses handling payment card transactions demonstrate a strong commitment to information security. This not only reduces the risk of data breaches and fraudulent activities, but also strengthens customer trust.
PCI DSS 4.0, the current version, is composed of 12 principal requirements:
Each of these principal requirements, in turn, consist of more detailed security requirements. To illustrate how JSCAPE simplifies PCI DSS compliance, we'll highlight key security requirements that impact file transfer environments. Immediately after each requirement, we'll explain how you can meet it using JSCAPE.
Before diving into specific requirements, allow us to give you an overview of JSCAPE's security competencies and its commitment to helping organizations achieve regulatory compliance. As a leading software vendor in the MFT space, JSCAPE holds industry-recognized certifications, including ISO 27001 and SOC 2.
Its main MFT product, JSCAPE MFT Server — which is now also offered as a cloud-based SaaS service, JSCAPE MFTaaS — is an advanced MFT solution. It enables secure and automated file transfers through an array of security and low-code/no-code automation features.
As you'll soon see in the next section, JSCAPE MFT's extensive selection of security features make it fully capable of supporting stringent information security policy and compliance programs. Aside from PCI DSS, companies have also been using JSCAPE MFT to comply with other data privacy and protection laws and regulations as well. This includes:
While JSCAPE MFT is recognized for its robust security capabilities, JSCAPE's dedication to security doesn't end there. Security is deeply integrated into every every stage of JSCAPE's software development lifecycles. Its application security initiatives include manual penetration tests, static application security testing (SAST), software composition analysis (SCA), dynamic application security testing (DAST), architecture reviews and ongoing assessments.
JSCAPE takes zero-day vulnerabilities seriously, and have clear policies in place for addressing vulnerabilities as soon as they're discovered. This includes timely patching, communication and team mobilization. These initiatives help ensure that every JSCAPE product is protected throughout development and even after deployment.
Let's now discuss some of the key PCI DSS compliance requirements that directly affect file transfer environments. It's worth noting, not all PCI DSS requirements impact file transfers. For instance, principal requirement 9, which deals with physical access security, doesn't directly impact file transfers. Hence, we'll be omitting it.
That said, here are some key PCI DSS 4.0 file transfer-related requirements along with some explanations detailing how JSCAPE helps you meet them.
When PANs are transmitted over open, public networks like the internet, they must be protected by strong cryptography and security protocols. This is meant to prevent threat actors from intercepting and stealing data during your file transfers, especially in less secure networks.
JSCAPE MFT supports several encrypted file transfer protocols, such as:
Every transmission of cardholder data through any of these protocols is protected by data-in-transit encryption. In addition, JSCAPE MFT allows you to equip these protocols with strong cryptographic algorithms, like AES 256, to ensure even greater protection during transmission.
PANs must be rendered unreadable anywhere it is stored. This requirement is designed to protect stored PANs from threat actors who, for some reason, are able to access your storage systems. Most businesses use some form of data-at-rest encryption to meet this requirement.
JSCAPE supports PGP encryption, an encryption technology that secures data at rest. You can set it up so that files are automatically encrypted as soon as they're uploaded to your MFT environment. They remain encrypted while stored. In addition, JSCAPE also supports AWS server-side encryption through either AES-256 S3 encryption or KMS S3 encryption. You can use either option to encrypt files you store on the AWS cloud.
Here are some tutorials showing how you can configure JSCAPE MFT to automatically apply PGP encryption on uploaded files before storing them:
All users must be assigned a unique ID before they are granted access to system components or cardholder data. Assigning a unique ID to each user enables you to trace user actions and establish accountability. It's also a prerequisite for establishing access controls, as discussed in Requirement 7.2.2 below.
By design, each user account created on JSCAPE MFT is associated with a single person. When you create a new user, you'll be asked to fill out fields for the person's name, login name, email address and phone number, among others. No two users can have the same login name, so this can serve as a unique ID.
All user and administrative access to system components must be authenticated through at least one of the following authentication factors:
When used in conjunction with unique IDs, an authentication factor provides robust data protection. It prevents hackers, malicious insiders and other threat actors from taking over user accounts and gaining unauthorized access to cardholder data.
JSCAPE MFT supports all three authentication factors through built-in functionality and its extensive support for a wide range of authentication options. JSCAPE MFT provides the following options:
Not only that, it also supports custom authentication and multi-factor authentication (MFA). MFA allows you to combine different authentication factors and implement much stronger authentication.
Users, including privileged users (e.g., server administrators) must be granted access based on their job classification and function. Additionally, they should be assigned only the least privileges necessary to fulfill their duties. Implementing strong access control measures, such as least privilege access, minimizes security breaches. For instance, if a user doesn't require access to cardholder data to perform their job, they shouldn't be granted access. This prevents them from performing actions that could violate PCI standards.
JSCAPE MFT enables you to implement role-based access control (RBAC), which is a type of access control that restricts file and folder access based on predefined user roles. It also allows you to implement the principle of least privileges. This can be done using user groups. You can also apply a similar configuration for privileged MFT users with administrative roles. You can even get more granular in delegating administrative privileges using administrative tags.
External and internal vulnerability scans must be conducted regularly. These requirements are in line with vulnerability management best practices. They're designed to identify, prioritize and address any vulnerabilities that might be exploited by threat actors.
As mentioned in the downloadable guide, “How to secure file transfers in the breach era,” JSCAPE conducts exhaustive annual external and internal penetration (PEN) tests and vulnerability scans to ensure product security.
You, as a covered entity, must still conduct your own regular scans and address any vulnerabilities found. In fact, your external vulnerability scans must be performed by a PCI Security Standards Council Approved Scanning Vendor (ASV). However, by leveraging JSCAPE's PEN tests and scans, you can supplement your efforts with additional layers of proactive vulnerability detection and mitigation.
An anti-malware solution must be deployed on all system components. Since file transfer systems typically handle hundreds of thousands or even millions of files, they are highly susceptible to malware infiltration. An anti-malware or anti-virus software can address this threat.
JSCAPE MFT seamlessly integrates with Internet Content Adaptation Protocol (ICAP) antivirus servers, which can handle the malware scanning in its stead. By offloading virus scanning operations to an ICAP server, you can reduce the risk of malware infection while also avoiding the performance issues associated with local scanning.
System components that store cardholder data must not be directly accessible from untrusted networks. When you store cardholder data where it can be directly accessed from the internet, you expose it to external threats.
JSCAPE also provides JSCAPE MFT Gateway, a reverse proxy that supports DMZ streaming. It's a process that:
In case you're not familiar with the term, a DMZ (Demilitarized Zone) is a network segment that acts as a buffer between internal networks and the internet. It uses firewalls to restrict inbound and outbound traffic. You would typically deploy your JSCAPE MFT Gateway instance on your DMZ, where it can act as an intermediary between your external users and your internally-deployed JSCAPE MFT Server instance.
That way, those users don't directly connect with your JSCAPE MFT Server, where, presumably, your cardholder data is stored.
Limit disclosure of internal IP addresses and routing information to authorized parties. This requirement prevents hackers from knowing you internal IP addresses and using them to deduce internal network structures, identify vulnerabilities, and carry out targeted attacks.
By deploying JSCAPE MFT Server and JSCAPE MFT Gateway as described above, you can provide external users access to files in your internally-deployed MFT server without revealing any internal IP address. As a reverse proxy, JSCAPE MFT Gateway listens for file transfer requests at its external IP address. External users will only connect to this IP address, and not the IP address of your MFT server.
This is by no means an exhaustive list, but JSCAPE definitely helps you meet most, if not all, file transfer-related PCI DSS requirements. If there's a specific requirement you want to inquire about, do contact us. A representative will be ready to answer any questions you might have.
JSCAPE provides a comprehensive solution for organizations seeking to achieve and maintain PCI DSS compliance in their file transfer operations. Through its robust security features, which include strong encryption protocols, role-based access controls, multiple authentication options and anti-malware solutions, among many others, JSCAPE consolidates several compliance requirements into a single, easy-to-manage platform.
The combination of JSCAPE MFT Server and MFT Gateway provides external users and trading partners easy and secure access to cardholder data, without revealing critical information about your internal network.
Beyond the technical capabilities of its MFT solutions, JSCAPE's commitment to security is evident in its developmental practices, regular security testing and swift vulnerability management. JSCAPE offers not just a file transfer solution, but also a highly advanced and secure platform that simplifies compliance with PCI DSS and other regulatory standards.