Diff: FAQ #1076

Is it permissible to use FTP if proper security measures are implemented?

Earlier Version
2014-05-29T00:00:00+00:00

Later Version
2023-01-10T15:59:00+00:00

Removed

Added

FTP is considered an insecure protocol as it does not provide protection for its communication channel or logon details.

PCI DSS Requirement ~~1.1.6~~1 states that network security controls (NSCs), such as firewalls and ~~router configurations~~other network security technologies, must include a business justification for the use of insecure protocols over the ~~network,~~network and that appropriate security features must be documented and implemented for the use of such protocols. ~~Additionally~~ Additionally, per PCI DSS Requirement ~~2.2.3,~~2, system configuration standards must include the implementation of security features to for any insecure protocols.

Examples of security features may include the use of secure FTP software, or tunneling the FTP connection over a secure channel, such as IPSec, SSH or SSL/TLS.

(Note: PCI DSS Requirement numbers refer to PCI DSS version 3)TLS.

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.