Ensure PCI Data Security Requirements are met with Globalscape EFT Server
If you are looking to ensure PCI Data Security requirements are met, the Globalscape EFT Server PCI Suite from HANDD has been specifically tailored with PCI compliance in mind. In order to successfully deploy the software however, it is important to understand how EFT Server meets these requirements.
Globalscape’s approach is to deploy a two-tiered architecture including the secure back end network where the EFT Server is installed and a DMZ segment or the “edge” of the network which is internet facing.
The DMZ Gateway is an extremely important component for the deployment. It is best described as a reverse proxy although communication with the back end server is different from a traditional reverse proxy you may be familiar with. All communication is initiated by EFT Sever to the DMZ Gateway, this means no firewall rules, or exceptions, to allow incoming connections from the DMZ to the internal network. Once the connection is created to the DMZ Gateway from EFT Server all connection requests are authenticated with back-end resources. This means there is no requirement for authentication data to be stored in the DMZ. Once that session is established and the data transfer takes place, the target for that data is on the back-end network. You may refer to the DMZ Gateway as a “streaming proxy” for this reason as data is not stored for any length of time in the DMZ. As a matter of fact, the clients original encryption is not broken until the data arrives at the back end target.
EFT Server offers a host of settings for different security applications and activities. Some of the settings may or may not be compliant with PCI specifications. For this reason, the addition of the High Security Module to the EFT Server platform provides you with a single click option to set the server up with PCI compliant settings. Of course, after the server is setup those settings may be changed. Any settings change outside the PCI scope must be accompanied by a compensating control which is saved to the configuration. A full settings audit may be run at any time so that you may provide a QSA with the current status on the fly and will also report on any compensating controls that may have been put in place. The High Security Module also enables password management so that strict compliance with password resets and complexity may be met.
As part of the PCI scope, you are also responsible for providing robust reporting on the daily transactions of the server. These transactions may include login activity, data transfer, event rules/post processing, administrative changes to the server, etc. To meet this requirement, the Auditing & Reporting module may be added to the EFT Server platform. This enables all activity on the server to be logged to either SQL or Oracle in raw format. The ARM Module also includes a reporting tool with over 40 pre-configured reports to create a readable formatted report from the raw audit data. These reports would be used to meet any audit requests by the QSA. The reporting tool also has a custom report builder which allows you to create specific reports to your own liking. In some cases the change in the repot is not a change in the data presented but a re-branding to your company’s look and feel.
The EFT Server PCI Suite from HANDD
EFT Server has a number of optional add-on modules that expand the functionality and security of the basic server software. HANDD have created an EFT Server + Module package specifically tailored to help ensure your data transfers are fully PCI Compliant. The EFT Server PCI Suite is comprised of the following:
- Enhanced File Transfer Server – EFT Server enables your organization to securely manage ﬁle transfers among worldwide offices, clients, and partners. EFT Server ensures the highest levels of compliance with government and corporate security policies and privacy regulations, including PCI-DSS, FIPS-140-2, HIPAA, and SOX.
- DMZ Gateway – When deployed alongside EFT Server, DMZ Gateway provides a multi-platform (Windows, Linux/Unix, Solaris), multi-tiered security solution that allows implementing the highest levels of security for data storage and retrieval, authentication and firewall traversal.
- High Security Module – Comply with FIPS 140-2 and PCI DSS 1.2, securely wipe delete data, assign Active Directory accounts for EFT Server administration, and implement advanced password, account, and resource security policies
- Auditing and Reporting Module – Capture all of the transactions passing through EFT Server allowing you to query the data and view reports from EFT Server’s Administrative console
HANDD also provide a number of professional services, including file transfer consultancy, installation, training and support to help ensure your PCI compliant file transfer solution is up and running quickly and is fully functional at all times.
Transferring digital data in a secure way is a challenge that may be accomplished in many different ways. In order to better secure these data transfers, a set of rules were created as guidelines referred to as Payment Card Industry (PCI) standards. PCI iss actually a very broad set of rules put in place to manage sensitive credit card information which includes the transfer of that information from one place to another. The PCI security standards council does not provide specific certifications for products that meet those standards. Instead, they allow these environments to be deployed according to the provided guidelines and a Qualified Security Assessor (QSA) will certify the environment periodically based on the number of transactions the environment processes.