Is it permissible to use FTP if proper security measures are implemented?
PCI DSS requirement 1.1.7 states that any risky protocols such as FTP must have documentation in place that defines the business justification for use and that appropriate security measures must be implemented. For example, secure FTP should be used, and FTP passwords and TELNET passwords used for non-console administrative access should be encrypted in transmission and in storage as prescribed in PCI DSS requirement 8.4 and 2.3 respectively. The documentation as well as implemented security measures should be reviewed by a Qualified Security Assessor (QSA) to ensure full effectiveness. The QSA will determine, among other things, that the selected approach is robust enough to withstand common attacks. For questions about whether a specific implementation is consistent with the standard or is ?compliant? with a requirement, please contact a Qualified Security Assessor (QSA). A list of QSAs can be found at www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf.