FTP Server PCI Compliance
Serv-U MFT Server meets the inbound/outbound traffic and data at rest requirements in PCI DSS 3.2 through the use of an architecture that utilizes Serv-U Gateway as a reverse proxy. It also meets other PCI DSS 3.2 requirements as detailed below.
Serv-U Gateway meets
PCI DSS 3.2 requirements.
Serv-U Gateway is
Serv-U’s reverse proxy.
Both Serv-U and Serv-U
Gateway can be clustered for HA.
Serv-U MFT Server PCI DSS 3.2 Guide
PCI DSS 3.2 will go into effect on February 1, 2018, but now is the time to prepare. This guide will help you deploy Serv-U MFT Server securely when it will be dealing with cardholder data or used within the Cardholder Data Environment (CDE). Many PCI DSS items are related to your policy and procedures (and have thus been omitted here) but others are applicable to software too, such as Serv-U MFT Server.
Requirement #1: Install and maintain a firewall configuration to protect cardholder data
This requirement limits network risk. Your Serv-U MFT Server implementation helps by restricting protocols.
1.1 - Plan and document the firewall and router configuration
- As Serv-U MFT Server will be transporting cardholder data, it is considered part of the CDE’s security architecture. You should document your configuration settings for Serv-U MFT Server itself as part of this requirement. Additionally, you must update both the Internet request connecting firewall and the DMZ to the internal network firewall to allow the protocols for Serv-U MFT Server use.
- Consult the Serv-U MFT Server firewall/router configuration guide for our current recommendations.
1.1.2– Update your network diagram to include the ports into and out of Serv-U MFT Server
1.1.3– Update your current data flow diagram that shows all cardholder data flows across systems and networks. As Serv-U MFT Server moves cardholder data, you should update this diagram
1.2 - Restrict connections between untrusted networks
- Use Serv-U Gateway to terminate inbound connections in the DMZ. Block any connections from the Serv-U Gateway to the internal network. All data moved to the internal network should be initiated from trusted Serv-U MFT Server clients on the internal network.
1.3 - Prohibit direct access from the Internet
- For transferring cardholder data, deploy the Serv-U Gateway in the DMZ to eliminate direct access between the Internet and CDE system components.
1.3.4 - Do not allow unauthorized outbound traffic from the CDE to the Internet
- By configuring the Serv-U MFT Server to route all cardholder data transfers via the Serv-U Gateway in the DMZ, you simplify the network topology and limit the pathways for cardholder data. This reduces the risk of unauthorized outbound traffic.
Requirement #2: Do not use vendor-supplied defaults for system passwords and other security parameters
Default passwords are a commonly exploited vulnerability, which is why they have their own requirement.
2.1 - Change vendor defaults
- A standard best practice is to change default administrative passwords and lock down the administrative ports. Serv-U MFT Server also offers additional protections, such as configurable limits on client connections to mitigate the risk of client password brute forcing.
2.2.1 - Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server
- The Serv-U MFT Server architecture is designed to natively isolate functions. Front end, databases, and clients are all segregated.
2.2 - Develop configuration standards for all system components. Ensure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards
- The Serv-U MFT Server software’s architecture limits the exposed network interfaces and shrinks the available attack surface. Additionally, the Serv-U Gateway allows you to omit the server name and version passed through in SSH configurations. This reduces the risk of leaking identification information through probing tools.
2.3 - Encrypt all remote administrative access
- Serv-U MFT Server uses HTTPS to secure its remote administrative access. Deprecated SSL protocols are not recommended for use on Serv-U MFT Server. See the PCI DSS 3.2 encryption guidance in the following SolarWinds article on THWACK: Using Managed File Transfer with PCI Cardholder Data.
Requirement #3: Protect stored cardholder data
Because cyber criminals have evolved their techniques, defensive requirements have to adapt as well. Serv-U MFT Server can assist by helping to ensure data is not stored in vulnerable locations.
3.1 - Enforce data retention and disposal
- Serv-U MFT Server offers robust policy-driven data retention and automatic deletion options. Policies can be set based on file size, time, and type. Additional controls include event-triggered deletion, which automatically deletes files upon download.
3.2 - Do not store sensitive authentication data after authorization (even if encrypted)
- The Serv-U Gateway can be configured to prevent any cardholder data from being stored in the DMZ.
3.5 - Protect cryptographic keys
- All Serv-U MFT Server encryption keys are stored in encrypted format.
Requirement #4: Encrypt transmission of cardholder data across open, public networks
This requirement focuses on helping to assure that data is kept not transmitted in plain text form. Serv-U MFT Server supports a variety of encryption options.
- Use strong cryptography and security protocols
to safeguard sensitive data during transmission
- Serv-U MFT Server supports several secure transmission protocols, including FTPS, SFTP and HTTPS.
- Serv-U MFT Server offers FIPS 140-2 validated cryptography and supports NIST 800-52 recommended TLS configurations. For an extensive review of cryptography selection for PCI 3.2, see the Using Managed File Transfer with PCI Cardholder Data THWACK post cited above.
4.2 - Never send sensitive data using end-user messaging technologies
- When using Serv-U MFT Server for your PCI cardholder data transfer needs, no cardholder data is transferred from the CDE to business partners or for further processing using end-user messaging. Messaging protocols such as email are configurable and only used for alerts or activity messaging, never for data transfer.
Requirement #5: Use and regularly update antivirus software and programs
5.1 - Deploy antivirus software
- Serv-U MFT Server works with all major antivirus software packages to process all transferred data files. You can configure the antivirus processing to launch and scan before, during, or just after data transmission.
Requirement #6: Develop and maintain secure systems and applications
This requirement focuses on assurance for systems and applications. Many data breaches occur because of unpatched systems.
6.2 - Help to ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches
- Our security vulnerability remediation strategy prioritizes developing patches or workarounds for identified vulnerabilities. We also update our knowledge base with information about major vulnerabilities that are relevant to our Serv-U MFT Server functions, even if Serv-U MFT Server is not vulnerable.
Requirement #7: Restrict access to cardholder data by business need-to-know basis
This requirement focuses on authorization. Serv-U MFT Server offers a variety of authorization options.
7.1 - Limit access to system components and cardholder data to only those individuals whose job requires access
7.1.1 - Define access requirements for each role
- Serv-U MFT Server integrates with your Active Directory® domain and other authentication infrastructure to help ensure that provisioning and deprovisioning activities apply immediately to Serv-U MFT Server authentication and authorization processes.
- Additionally, Serv-U MFT Server provides a hierarchical membership model with complete flexibility to create authorization roles necessary to support the proper handling of cardholder data.
7.2 - Establish an access control system(s) for system components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.
7.2.2 - Assign privileges to individuals based on job classification and function
- Serv-U MFT Server provides an access control system with separate read, write, list, and delete rights, plus extra quota, bandwidth, and alerts for all, groups of users, or specific users. These fine-grained access rights are inheritable from group templates, helping to ensure users receive only the rights and privileges they need to complete their assigned responsibilities.
7.2.3 - Default “deny-all” setting
- The default privilege level can be set to limited or no access by using inheritable templates.
Requirement #8: Identify and authenticate access to system components
Authentication precedes authorization, and Serv-U MFT Server offers a number of authentication integrations and options.
8.1.1 - Assign unique IDs
- Serv-U MFT Server can support integration directly to your Active Directory or LDAP identity provisioning system. This helps guarantee that IDs are individual and deprovisioned automatically, limiting the risk that an unauthorized user will retain access.
8.2 - Use passwords or strong authentication
- Serv-U MFT Server supports both single-factor and multi-factor authentication using passwords and client keys.
8.3 - Use two-factor authentication for remote access
- Serv-U MFT Server supports two-factor authentication using passwords and a client key. Client keys can be generated using a built-in Serv-U MFT Server key generator, or imported from third-party solutions.
8.4 - Send and store passwords securely
- Serv-U MFT Server uses secure protocols like FTPS, FTPS, and HTTPS to securely exchange credentials.
- Serv-U MFT Server stores password as transformed by secure hashing techniques to ensure plaintext passwords are not stored on Serv-U MFT Server. User passwords are encrypted in transit to help ensure they cannot be snooped as part of connecting to Serv-U MFT Server.
8.5 - Enforce proper user management and use automation when available
- Serv-U MFT Server includes a broad range of identity and access management, including enforced password strength, password reuse, and password resets. In addition, Serv-U MFT Server can automatically age, send notifications about, and shut down old user accounts.
- Serv-U MFT Server encourages the customization of login banners to communicate authentication procedures and policies.
- Serv-U permits customization of banners to communicate authentication procedures and policies.
- Serv-U MFT Server can be configured to automatically lock out clients after too many login attempts.
Requirement #9: Restrict physical access to cardholder data
Requirement #10: Track and monitor all access to network resources and cardholder data
This requirement focuses on assurance through monitoring. By generating sufficient log data, accidental and intentional misuse can be quickly identified.
10.1 - Implement audit trails to link all access to system components to each individual user
- Serv-U MFT Server logs are extensive and can be configured to generate log entries for all activities. These logs can be integrated into a SIEM solution, such as SolarWinds Log and Event Manager, to take further actions on log activity that could be a sign of security vulnerability, or a compliance violation, and produce detailed reports to demonstrate continuous compliance to auditors.
10.3 - Help to ensure user ID, event type, time stamp, success/failure, origination, and target ID appear in log entries
- Each of these elements is included in all log entries generated by Serv-U MFT Server.
10.4 - Synchronize clocks on multiple systems
- Serv-U MFT Server supports time synchronization performed through local Windows® and Linux® operating systems.
10.7 - Retain logs for a certain amount of time
- Serv-U MFT Server includes automatic log rotation and retention settings for each domain. The administrator can configure these settings to help ensure PCI compliance.
Requirement #11: Regularly test security systems and processes
This requirement supports the integrity of the CDE though automated and process-based testing. Serv-U MFT Server supports this by providing verifiable executables as part of the Serv-U MFT Server deployment. Serv-U MFT Server installation files and executables are signed with an X.509 certificate to help detect unauthorized modifications or deployment of compromised software.
Serv-U MFT Server software uses additional internal integrity checks to help ensure that files it depends on are valid.
Serv-U MFT Server uses FIPS 140-2 cryptography, which means that an internal “self test” is performed during the initialization of cryptography components to detect and prevent tampering.
Requirement #12: Maintain a policy that addresses information security for all personnel
Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers
A.1 - Protect each entity’s hosted environment and data
- Serv-U MFT Server supports and is frequently deployed as a multi-homed system, where separate groups of administrators control their own domains (users, folders, permissions, etc.), and each domain is a separate logical unit.
- Serv-U MFT Server also supports virtualization technology such as VMware where operating system units are used to separate different business units, partners or customers.
- Ask a Question