EFT Server High Security-PCI Add-on Module

Raise EFT Server security to the level required by the Payment Card Industry - Data Security Standard (PCI-DSS) 

The High Security-PCI add-on module achieves or exceeds security practices mandated by PCI-DSS, HIPAA, and Sarbanes-Oxley for data transfer, access, and storage.

The module ensures:

• data is stored and disposed of securely
• account and password security policies adhere to PCI-DSS
• strong encryption ciphers and keys are used exclusively
• violations are reported and compensating controls are applied
• changes are monitored and recorded

Key Benefits

Protection of Data at Rest
The HS-PCI solution, in concert with EFT Server and DMZ Gateway server, helps organizations comply with data storage requirements, including not storing data in the network DMZ, using repository encryption, and securely sanitizing deleted data so that it cannot be reconstituted.

Protection of Data in Transit
The HS-PCI solution protects data in transit by enforcing the use of secure protocols, strong ciphers and encryption keys, and maintaining password policies that strictly follow PCI-DSS guidelines.

Controlled Access to Data
The High Security PCI solution lets you restrict accounts and require unique IDs for access. For user authentication, you can use an AD, NTML, LDAP, or ODBC-compatible database or EFT Server's authentication manager to isolate a specific group of users from other groups in your domain. The Auditing and Reporting Module (ARM) captures all server activity in a fully relational database.

Ongoing PCI-DSS Compliance
With PCI DSS, you cannot "set it and forget it." Compliance, with the ultimate goal of securing sensitive company data, requires continuous monitoring and validation of security policies and controls. GlobalSCAPE makes it easy for an administrator to create and maintain file-transfer services that comply with the PCI standard. The solution provides a setup “wizard” that walks administrators through configuring a new PCI DSS-enabled file transfer service, sets security settings default values, disallows low security options, captures compensating controls, and generates a PCI DSS compliance report for auditing the system’s PCI DSS compliance status.  

Achieving PCI compliance with EFT Server's High Security-PCI add-on module

The following table lists the PCI-DSS requirements and outlines specifically how GlobalSCAPE can help you become compliant. Setup wizards provide administrators with an easy, step-by-step method to configuring a new PCI-DSS-enabled site.

PCI-DSS Requirements	EFT Server High Security-PCI Module
Requirement 1: Install and maintain a firewall configuration to protect cardholder data	Several requirements in this section are handled through EFT Server's companion product: DMZ Gateway
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters	Auto-configuration, reminders, warnings, and diagnostic checks for unsecure protocol use, vendor defaults used, and misconfigured security parameters.
Requirement 3: Protect stored cardholder data	Multiple validation checks for data encryption, use of strong encryption keys, and a powerful disk sanitization feature for wiping deleted data
Requirement 4: Encrypt transmission of cardholder data across open, public networks	Monitoring and enforcement of strong secure protocols and ciphers, including auto-redirect from non-secure to secure protocols
Requirement 5: Use and regularly update anti-virus software	Requires measures external to the High Security PCI module
Requirement 6: Develop and maintain secure systems and applications	Requires measures external to the High Security PCI module
Requirement 7: Restrict access to cardholder data by business need-to-know	Provides granular delegated administration controls over server functions according to need-to-know policies.
Requirement 8: Assign a unique ID to each person with computer access	Enforces password complexity, uniqueness, and related access control policies such as forced password reset and password expiration.
Requirement 9: Restrict physical access to cardholder data	Data sanitization securely removes data from physical media
Requirement 10: Track and monitor all access to network resources and cardholder data	The High Security module provides flexible, not mandatory compliance. A daily e-mailed report detailing current PCI status for all sites, including details of what is in compliance, where failures have occurred and what choices have been made that prevent compliance. The reports also detail an organization's compensating controls or alternative methods for achieving compliance and an audit trail of all administrator and user actions. Reports are produced automatically when triggered by a server event, such as a change to a setting that needs a compensating control.
Requirement 11: Regularly test security systems and processes	Requires measures external to the High Security PCI module
Requirement 12: Maintain a policy that addresses information security	Requires measures external to the High Security PCI module

Contact Us

If you would like more information regarding evaluating or purchasing the HS-PCI module for EFT Server, please call us at 1-800-290-5054 (U.S.) or 1-210-308-8267 (international), or submit a request for a product trial and a representative will contact you shortly.