PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council FAQ database, preserved for tracking changes over time.
View Original →
FAQ #1076 Published

Is it permissible to use FTP if proper security measures are implemented?

FTP is considered an insecure protocol as it does not provide protection for its communication channel or logon details.

PCI DSS Requirement 1.1.6 states that firewalls and router configurations must include a business justification for the use of insecure protocols over the network, and that appropriate security features must be documented and implemented for the use of such protocols. Additionally per PCI DSS Requirement 2.2.3, system configuration standards must include implementation of security features to for any insecure protocols.

Examples of security features may include use of secure FTP software, or tunneling the FTP connection over a secure channel, such as IPSec, SSH or SSL/TLS.

(Note: PCI DSS Requirement numbers refer to PCI DSS version 3)

View original on PCI SSC website View all versions Back to recent changes

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.