Serv-U® Managed File Transfer (MFT) Server meets the inbound/outbound traffic and data at rest requirements in the Payment Card Industry (PCI) Data Security Standard (DSS) version 3.2 through the use of an architecture that utilizes Serv-U Gateway as a reverse proxy. It also meets other PCI DSS 3.2 requirements as detailed below.
Serv-U MFT Server PCI DSS 3.2 Guide
PCI DSS 3.2 will go into effect on February 1, 2018, but now is the time to prepare. This guide will help you deploy Serv-U MFT Server so that you can better handle cardholder data or use the software within the Cardholder Data Environment (CDE). Many PCI DSS items are related to your internal policy and procedures (and have thus been omitted here), but others are applicable to software, such as Serv-U MFT Server. We have set forth some of the PCI DSS items below for discussion.
Requirement #1: Install and maintain a firewall configuration to protect cardholder data
This requirement is designed to limit network risk. Your Serv-U MFT Server implementation helps by restricting protocols.
1.1 - Plan and document the firewall and router configuration
As Serv-U MFT Server will be transporting cardholder data, it is considered part of the CDE’s security architecture. You should document your configuration settings for Serv-U MFT Server itself as part of this requirement. Additionally, you must update both the internet request connecting firewall and the demilitarized zone (DMZ) to the internal network firewall to allow the protocols for Serv-U MFT Server use.
Consult the Serv-U MFT Server firewall/router configuration guide for our current recommendations.
1.1.2 - Update your network diagram to include the ports into and out of Serv-U MFT Server
1.1.3 - Update your current data flow diagram that shows all cardholder data flows across systems and networks. If Serv-U MFT Server moves cardholder data, you should update this diagram
1.2 - Restrict connections between untrusted networks
Use Serv-U Gateway to terminate inbound connections in the DMZ. Block any connections from the Serv-U Gateway to the internal network. All data moved to the internal network should be initiated from trusted Serv-U MFT Server clients on the internal network.
1.3 - Prohibit direct access from the internet
For transferring cardholder data, deploy the Serv-U Gateway in the DMZ to eliminate direct access between the internet and CDE system components.
1.3.4 - Do not allow unauthorized outbound traffic from the CDE to the internet
By configuring the Serv-U MFT Server to route all cardholder data transfers via the Serv-U Gateway in the DMZ, you simplify the network topology and limit the pathways for cardholder data. This reduces the risk of unauthorized outbound traffic.
Requirement #2: Do not use vendor-supplied defaults for system passwords and other security parameters
Default passwords are a commonly exploited vulnerability, which is why they have their own requirement.
2.1 - Change vendor defaults
A standard best practice is to change default administrative passwords to lock down the administrative ports. Serv-U MFT Server also offers additional protections, such as configurable limits on client connections to mitigate the risk of client password brute forcing.
2.2.1 - Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server
The Serv-U MFT Server architecture is designed to natively isolate functions. Front end, databases, and clients are all segregated.
2.2 - Develop configuration standards for all system components. Ensure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards
The Serv-U MFT Server software’s architecture limits the exposed network interfaces and shrinks the available attack surface. Additionally, the Serv-U Gateway allows you to omit the server name and version passed through in SSH® configurations. This reduces the risk of leaking identification information through probing tools.
2.3 - Encrypt all remote administrative access
Serv-U MFT Server uses HTTPS, which is designed to help secure its remote administrative access. Deprecated SSL protocols are not recommended for use on Serv-U MFT Server. See the PCI DSS 3.2 encryption guidance in the following SolarWinds article on THWACK®: Using Managed File Transfer with PCI Cardholder Data.
Requirement #3: Protect stored cardholder data
Because cyber criminals have evolved their techniques, defensive requirements have to adapt as well. Serv-U MFT Server can assist by helping to ensure data is not stored in vulnerable locations.
3.1 - Enforce data retention and disposal
Serv-U MFT Server offers robust policy-driven data retention and automatic deletion options. Policies can be set based on file size, time, and type. Additional controls include event-triggered deletion, which automatically deletes files upon download.
3.2 - Do not store sensitive authentication data after authorization (even if encrypted)
The Serv-U Gateway can be configured to prevent any cardholder data from being stored in the DMZ.
3.5 - Protect cryptographic keys
All Serv-U MFT Server encryption keys are stored in encrypted format (discussed further below).
Requirement #4: Encrypt transmission of cardholder data across open, public networks
This requirement focuses on helping to assure that data is kept not transmitted in plain text form. Serv-U MFT Server supports a variety of encryption options.
4.1 - Use strong cryptography and security protocols to safeguard sensitive data during transmission
Serv-U MFT Server is designed to support several secure transmission protocols, including FTPS, SFTP and HTTPS. Serv-U MFT Server offers FIPS 140-2 validated cryptography and supports NIST 800-52 recommended TLS configurations. For an extensive review of cryptography selection for PCI 3.2, see the Using Managed File Transfer with PCI Cardholder Data THWACK post cited above.
4.2 - Never send sensitive data using end-user messaging technologies
When using Serv-U MFT Server for your PCI cardholder data transfer needs, no cardholder data is transferred from the CDE to business partners or for further processing using end-user messaging. Messaging protocols such as email are configurable and only used for alerts or activity messaging, never for data transfer.
Requirement #5: Use and regularly update antivirus software and programs
5.1 - Deploy antivirus software
Serv-U MFT Server works with major antivirus software packages to process transferred data files. You can configure the antivirus processing to launch and scan before, during, or just after data transmission.
Requirement #6: Develop and maintain secure systems and application
This requirement focuses on assurance for systems and applications. Many data breaches occur because of unpatched systems.
6.2 - Help to ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches
Our security vulnerability remediation strategy prioritizes developing patches or workarounds for identified vulnerabilities. We also update our knowledge base with information about major vulnerabilities that are relevant to our Serv-U MFT Server functions, even if Serv-U MFT Server is not vulnerable.
Requirement #7: Restrict access to cardholder data by business need-to-know basis
This requirement focuses on authorization. Serv-U MFT Server offers a variety of authorization options.
7.1 - Limit access to system components and cardholder data to only those individuals whose job requires access
7.1.1 - Define access requirements for each role
Serv-U MFT Server integrates with your Active Directory®, domain and other authentication infrastructure to help ensure that provisioning and deprovisioning activities apply immediately to Serv-U MFT Server authentication and authorization processes.
Additionally, Serv-U MFT Server provides a hierarchical membership model with complete flexibility to create authorization roles necessary to support the proper handling of cardholder data.
7.2 - Establish an access control system(s) for system components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.
7.2.2 - Assign privileges to individuals based on job classification and function
Serv-U MFT Server provides an access control system with separate read, write, list, and delete rights, plus extra quota, bandwidth, and alerts for all, groups of users, or specific users. These fine-grained access rights are inheritable from group templates, helping to ensure users receive only the rights and privileges they need to complete their assigned responsibilities.
7.2.3 - Default “deny-all” setting
The default privilege level can be set to limited or no access by using inheritable templates.
Requirement #8: Identify and authenticate access to system components
Authentication precedes authorization, and Serv-U MFT Server offers a number of authentication integrations and options.
8.1.1 - Assign unique IDs
Serv-U MFT Server can support integration directly to your Active Directory or LDAP identity provisioning system. This helps guarantee that IDs are individual and deprovisioned automatically, limiting the risk that an unauthorized user will retain access.
8.2 - Use passwords or strong authentication
Serv-U MFT Server supports both single-factor and multi-factor authentication using passwords and client keys.
8.3 - Use two-factor authentication for remote access
Serv-U MFT Server supports two-factor authentication using passwords and a client key. Client keys can be generated using a built-in Serv-U MFT Server key generator, or imported from third-party solutions.
8.4 – Managing Authentication
Serv-U MFT Server uses protocols like FTPS, SFTP, and HTTPS.
Serv-U MFT Server is designed to store passwords as transformed by secure hashing techniques to help ensure plaintext passwords are not stored on Serv-U MFT Server. User passwords are encrypted in transit to help ensure they cannot be snooped as part of connecting to Serv-U MFT Server.
8.5 - Enforce proper user management and use automation when available
Serv-U MFT Server includes a broad range of identity and access management features, including enforced password strength, password reuse, and password resets. In addition, Serv-U MFT Server can automatically age, send notifications about, and shut down old user accounts.
Serv-U MFT Server encourages the customization of login banners to communicate authentication procedures and policies.
Serv-U permits customization of banners to communicate authentication procedures and policies.
Serv-U MFT Server can be configured to automatically lock out clients after too many login attempts.
Requirement #9: Restrict physical access to cardholder data
Requirement #10: Track and monitor all access to network resources and cardholder data
This requirement focuses on assurance through monitoring. By generating sufficient log data, accidental and intentional misuse can be quickly identified.
10.1 - Implement audit trails to link all access to system components to each individual user
Serv-U MFT Server logs are extensive and can be configured to generate log entries for all activities. These logs can be integrated into a SIEM solution, such as SolarWinds® Log & Event Manager. SolarWinds Log & Event Manager is designed to take further actions on log activity that could be a sign of security vulnerability or a compliance violation, which produces detailed reports to demonstrate continuous compliance for auditors.
10.3 - Help to ensure user ID, event type, time stamp, success/failure, origination, and target ID appear in log entries
Each of these elements, user ID, event type, time stamp, success/failure, origination, and target ID, is included in all log entries generated by Serv-U MFT Server.
10.4 - Synchronize clocks on multiple systems
Serv-U MFT Server supports time synchronization performed through local Windows® and Linux® operating systems.
10.7 - Retain logs for a certain amount of time
Serv-U MFT Server includes automatic log rotation and retention settings for each domain. The administrator can configure these settings to help the administration establish this aspect of PCI compliance.
Requirement #11: Regularly test security systems and processes
This requirement supports the integrity of the CDE though automated and process-based testing. Serv-U MFT Server supports this by providing verifiable executables as part of the Serv-U MFT Server deployment. Serv-U MFT Server installation files and executables are signed with an X.509 certificate to help detect unauthorized modifications or deployment of compromised software.
Serv-U MFT Server software uses additional internal integrity checks to help ensure that files it depends on are valid.
Serv-U MFT Server uses FIPS 140-2 cryptography, which means that an internal “self test” is performed during the initialization of cryptography components to detect and prevent tampering.
Requirement #12: Maintain a policy that addresses information security for all personnel
Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers
A.1 - Protect each entity’s hosted environment and data
Serv-U MFT Server supports and is frequently deployed as a multi-homed system, where separate groups of administrators control their own domains (users, folders, permissions, etc.), and each domain is a separate logical unit.
Serv-U MFT Server also supports virtualization technology such as VMware® where operating system units are used to separate different business units, partners or customers.