Frequently Asked Question
Is it permissible to use FTP if proper security measures are implemented?
FTP is considered an insecure protocol as it does not provide protection for its communication channel or logon details. PCI DSS Requirement 1 states that network security controls (NSCs), such as firewalls and other network security technologies, must include a business justification for the use of insecure protocols over the network and that appropriate security features must be documented and implemented for the use of such protocols. Additionally, per PCI DSS Requirement 2, system configuration standards must include the implementation of security features for any insecure protocols. Examples of security features may include the use of secure FTP software, or tunneling the FTP connection over a secure channel, such as IPSec, SSH or TLS.
Featured FAQ Articles
Most Recently Updated
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?