Need To Be PCI Compliant? Say Goodbye to FTP!
As of June 1st, having regular FTP enabled on your website invalidates PCI. The Payment Card Industry (PCI) is what governs the rules and regulations for securing credit card data.
If you’re an ecommerce merchant and accept credit cards, you are required to be PCI compliant. Failure to be PCI compliant can subject your company to fees and fines.
The exact quote from our McAfee rep. was:
On 31 May 2011 the CVSS2 score for ‘FTP Server Clear Text Authentication’ was raised to 7.5. This is now ‘Critical’ and assigned a Level 4 PCI Severity.
The reason behind this that it is very easy to intercept and read the clear text FTP Username and Password by sniffing. Having this information, then anyone can upload, modify, delete, or abuse a website, database, etc. Many hosting companies still use FTP for their clients. The PCI Council is downgrading this practice, and mandates more secure channels to be used.
Translation: The de facto standard in uploading and downloading files from your account is now considered a security risk by the PCI council. Or, in simpler terms: DON’T USE IT!
It’s a pain, but it’s manageable
Not using FTP may seem like a major problem, and it’s a headache no doubt, but there are easy ways to work around it.
Here at LexiConn we spend a great deal of time helping our clients become PCI compliant. We make sure their PCI scans pass so they can prove PCI compliance to their merchant account and gateway providers. We have become “PCI experts” by force, as PCI is a requirement that can not be ignored.
So what are the alternatives to FTP?
1. FTPS (FTP over TLS – Explicit)
Almost all modern FTP programs (I recommend Filezilla for a great free FTP program) support FTPS. FTPS is simply encrypted FTP, similar to SSL on your checkout page. You would just change the encryption type from “Plain text FTP” to “FTP over TLS – Explicit“. (Don’t choose “implicit” as this method rarely works, and is not supported by us and most other FTP servers.)
You may get prompted by your FTP program about the SSL certificate not matching your domain name. This is fine, as the FTP server uses one SSL certificate. You can simply accept the new certificate and proceed.
NOTE: If you choose to go this route and are hosted by us, let us know you will now only use FTPS, and we can disable regular FTP for your account. This is an important step as this will allow your PCI scans to pass going forward.
2. SFTP (FTP over SSH)
Another option is to connect via SFTP instead of regular FTP. SFTP is FTP over SSH, which is an encrypted way of transferring files to/from your account. This is not enabled by default on most accounts, so if you want to use this method, contact us first. Many other hosts may not allow SFTP at all.
In your FTP program, you can change the Protocol from “FTP” to “SFTP“. It’s that easy.
I’d recommend FTPS/TLS over SFTP, as it uses a more standard connection with better logging. But SFTP is an option for those that want to use it.
NOTE: If you choose to go with SFTP, let us know, and we can disable FTP altogether for your account.
3. No FTP at all
If you do not connect to your site via FTP to upload files/images, and have no use for FTP, then the easiest thing to do is have us disable FTP for your account. This will satisfy a PCI scan.
It’s easy for us to re-enable FTP if need be in the future, or you can easily switch to FTPS or SFTP for secure file transmissions.
Is the future everything being encrypted?
With PCI becoming more and more stringent, it seems that any unencrypted communication that involves your website or ecommerce application is becoming “illegal”. We often joke that pretty soon, no customers will be able to view your website unless it’s 100% encrypted, or offline!
With the right web host, PCI can be easily managed and PCI issues quickly dealt with to minimize the pain. If your current web host is not helping you with PCI issues, contact us. We provide a PCI compliant hosting environment, and can help with PCI related issues and solve them so you pass your quarterly scan, and more importantly, so your customer data is safe and secure.