PCI-Compliant File Transfer

Ensure PCI-DSS Compliance with MOVEit Managed File Transfer

Build and Maintain a Secure Network

MOVEit is a managed file transfer system designed for use with a multi-firewall network that separates a network into different trust zones.

Protect Stored Cardholder Data

MOVEit Automation and MOVEit Transfer are each capable of doing scheduled, automatic and secure deletion of old files containing payment information.

Ensure PCI Compliance

MOVEit helps tens of thousands of financial processors, banks and credit unions achieve and maintain PCI Compliance

How MOVEit Enables PCI-Compliance

Maintains Network Security

MOVEit Transfer lives in the firewall-protected DMZ where it can be partially exposed to the Internet. MOVEit Automation, deployed on an internal trusted network, can establish connections to the MOVEit Transfer server through a firewall. This establishes a secure connection through which data can be passed to and from your internal network to the outside world. If you prefer not to have your files at rest in the DMZ you can use MOVEit Gateway in the DMZ and deploy MOVEit Transfer on the trusted internal network.

Protects Cardholder Data in Transit and at Rest

MOVEit supports transfers using secure FTP over SSL/TLS (FTPS), secure FTP over SSH2 (SFTP and SCP2), as well as secure file transfers using HTTPS and the AS2, and AS3 protocols. When at rest, MOVEit uses our MOVEit Crypto cryptographic software to securely store data. MOVEit Crypto has been FIPS 140-2 validated by the US National Institute of Standards and Testing (NIST) and the Canadian Communications Security Establishment (CSE)

Implements Strong Access Control Measures

MOVEit allows users to be designated as belonging to specified role with each role having an appropriate level of privilege. MOVEit Transfer also allows for the specific assignment of folder permissions, protocol access restrictions, IP address restrictions and other limited rights. Passwords and keys are encrypted using secure SSL/TLS and SSH2.

Maintains a Vulnerability Management Program

MOVEit supports integration for external scanning of the files in transit to prevent infected files from being transferred. To maintain the security of all MOVEit products, Progress support regularly posts security updates to the customer community.

Regularly Monitors and Tests Networks

MOVEit audit logging capabilities are among the most comprehensive offered by any managed file transfer products. Access to MOVEit audit records is controlled so that users can only see events that relate to their organization and/or the groups, users, folders and transfer tasks under their control.

What is PCI DSS?

The PCI Data Security Standard (PCI DSS) is the global data security standard adopted by all organizations that process, store or transmit cardholder data. It consists of twelve critical data security requirements, organized into six sections:

Build and Maintain a Secure Network
  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
  1. Use and regularly update anti-virus software or programs
  2. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  1. Restrict access to cardholder data by business need-to-know
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  1. Track and monitor all access to network resources and cardholder data Requirement
  2. Regularly test security systems and processes
Maintain an Information Security Policy Requirement
  1. Maintain a policy that addresses information security for employees and contractors

Who is it for?

The Payment Card Industry (PCI) Data Security Standard (DSS) is intended for use by merchants, financial processors, point-of-sale vendors, and banks, credit unions and other financial institutions that transmit, process and/or store credit cardholder data.

If your business deals with credit card payments in any way, then PCI compliance is going to be a fact of life, and an essential part of running your business securely and efficiently. PCI compliance is a critically important step in protecting your customer's or partner's payment card data, and an equally important step in protecting your business from the dire consequences of a data breach.

MOVEit's Solution Architecture

MOVEit is a managed file transfer system designed for use with a multi-firewall network that separates a network into different trust zones.

(click to enlarge)

Did You Know?

Compliance Requirements Depend on the Size of Your Business

To determine the requirements that apply to individual businesses, the PCI Security Standards Council (PCI SSC) created a four-level system for classifying businesses by size and risk. For the most part, small businesses land in Level 4, while Level 1 covers large, multi-national retailers like Amazon and Walmart.

Level 1: Merchants with more than 6,000,000 transactions per year or those that have had data compromised in the past.
Level 2: Merchants with 150,000 to 6,000,000 transactions per year.
Level 3: Merchants with 20,000 to 150,000 transactions per year.
Level 4: Merchants with less than 20,000 transactions per year.

Terms to know

  • PCI: Payment Card Industry. If you’ve ever bought a product online or given your credit card information to secure a service via a computer, you have invariably operated under the auspices of this organization.
  • PCI DSS : PCI Data Security Standards. This acronym identifies the rules. Once you are in a PCI-regulated environment, you will find that specific rules and specifications exist to ensure that all transactions are safe.
  • ROC: Report on Compliance is an official written report of the compliance process that is achieved by adhering to the standards outlined by the PCI.
  • QSA: Qualified Security Assessor is an auditor or provider that has been qualified by the PCI Council to serve as implementers of the PCI standards.
  • DMZ: Demilitarized Zone is a hosted area or a small secure network that serves as an intermediary or neutral location between the end user and the provider. This “zone” prevents unauthorized access to the secure servers that process the actual transactions and store the credit card information, for example. Outside users can only access as far as the DMZ and no further.

Make Your File Transfers PCI-Compliant