PCI Watch

Tracking changes across the Payment Card Industry
FAQs » FAQ #1076 » Versions » Diff

Diff: FAQ #1076

Is it permissible to use FTP if proper security measures are implemented?

Earlier Version
Later Version
Removed
Added
PCI DSS requirement 1.1.7FTP is considered an insecure protocol as it does not provide protection for its communication channel or logon details.

PCI DSS Requirement 1.1.6 states that firewalls and router configurations must include a business justification for the use of insecure protocols over the network, and that appropriate security features must be documented and implemented for the use of such protocols. Additionally per PCI DSS Requirement 2.2.3, system configuration standards must include implementation of security features to for any risky protocolsinsecure protocols.

Examples of security features may include use of secure FTP software, or tunneling the FTP connection over a secure channel, such as FTP must have documentation in place that defines the business justification for use and that appropriate security measures must be implemented. For example, secure FTP should be used, and FTP passwords and TELNET passwords used for non-console administrative access should be encrypted in transmission and in storage as prescribed in PCI DSS requirement 8.4 and 2.3 respectively. The documentation as well as implemented security measures should be reviewed by a Qualified Security Assessor (QSA)IPSec, SSH or SSL/TLS.

(Note: PCI DSS Requirement numbers refer to ensure full effectiveness. The QSA will determine, among other things, that the selected approach is robust enough to withstand common attacks. For questions about whether a specific implementation is consistent with the standard or is ?compliant? with a requirement, please contact a Qualified Security Assessor (QSA). A list of QSAs can be found at www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf.PCI DSS version 3)

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.