The PCI DSS (Payment Card Industry Data Security Standard) is the data security standard for the payment process industry. Developed and maintained by the major credit card companies via the PCI Security Standards Council, it is relevant for merchants, processors, acquirers, issuers and service providers.
Essentially, PCI DSS is a set of minimum requirements designed to protect cardholder data. It has 12 major requirements, not all directly relevant to secure file transfer. FTP servers can't be PCI DSS compliant as such - they instead can help organizations to achieve PCI DSS compliance in conjunction with network security measures and policies and other technologies.
When used correctly, CompleteFTP can help you achieve PCI DSS compliance in your organization. The PCD DSS requirements addressed by CompleteFTP are listed below:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Keep your CompleteFTP installation behind a firewall. Use the IP filtering capabilities of CompleteFTP to only permit the IP addresses you want to access the server.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Disable anonymous access. Configure the CompleteFTP manager to use a secure protocol such as SFTP or FTPS for administrative tasks. Disable HTTP and FTP protocols. For HTTPS, ensure public HTTP access flag is disabled. Hide the server product details (messages setting) to hide the version and name of the product from clients.
Requirement 3: Protect stored cardholder data.
Disable SSH terminal access. Periodically change keys. Where cardholder data is stored, encrypt it using PGP or a similar tool.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Disable HTTP and FTP protocols, and only permit secure protocols: FTPS, SFTP and SCP.
Requirement 8: Assign a unique ID to each person with computer access.
Disable anonymous access. Disable automatic Windows users.
Requirement 10: Track and monitor all access to network resources and cardholder data.
CompleteFTP supports auto-banning of accounts or IP addresses that connect unsuccessfully. CompleteFTP has an audit log that should be regularly inspected.