Is it permissible to use FTP if proper security measures are implemented?
FTP is considered an insecure protocol as it does not provide protection for its communication channel or logon details. PCI DSS Requirement 1 states that network security controls (NSCs), such as firewalls and other network security technologies, must include a business justification for the use of insecure protocols over the network and that appropriate security features must be documented and implemented for the use of such protocols. Additionally, per PCI DSS Requirement 2, system configuration standards must include the implementation of security features for any insecure protocols. Examples of security features may include the use of secure FTP software, or tunneling the FTP connection over a secure channel, such as IPSec, SSH or TLS.