From the PCI DSS:
Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending PAN in unencrypted e-mails.
PCI DSS Requirement |
How Requirement is Addressed with EFT Server | |
3.1 Develop a data retention and disposal policy |
You can configure EFT Server to remove files from a specified folder at regularly scheduled intervals with EFT Server's Clean-up Action. When EFT Server deletes a file, it can optionally securely delete or purge the file by writing over the initial data using encrypted and/or pseudorandom data. | |
3.2 - 3.2.3 Do not store sensitive authentication data subsequent to authorization (even if encrypted). Sensitive authentication data includes the data as cited in requirements 3.2.1 through 3.2.3 (magnetic stripe data, validate codes (cv2), or PIN |
Your own internal policies dictate whether you are capturing sensitive data. This is different from PAN data, and pertains to card verification values (CVV, CV2, CVV2, etc.) and full magnetic stripe data. | |
3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed. |
EFT Server has no means for rendering or displaying PAN or any other sort of data. | |
3.4 Render PAN, at minimum, unreadable anywhere it is stored. |
Encrypt PAN or other sensitive data using EFT Server’s optional OpenPGP encryption module or 3rd-party disk encryption utilities. | |
|
3.4.1 Logical access and decryption keys disk must be managed independently for disk-level encryption |
This requirement precludes you from using Microsoft’s Encrypting File System (EFS) from within EFT Server (or externally) as a means for encrypting stored PAN data. EFT Server PCI DSS HS will warn you if EFS is being used. |
3.5 - 3.5.2 Protect encryption keys |
Only sub-administrators who have been specifically granted access can create access, or manage PGP, SSL, and SFTP keys. | |
3.6 - 3.6.10 Document and implement all key management processes and procedures |
External to EFT Server. | |
|
3.6.1 Generation of strong keys |
EFT Server PCI DSS HS disallows 512 or lesser bit lengths in the certificate/key creation wizards for HS-PCI-enabled sites, and sets the default bit-length to 2048 bits for new keys. When importing SSL or SFTP keys, EFT Server will warn if a weak key is imported. |
|
3.6.4 Key management, destruction, or revocation of old keys |
EFT Server determines whether certificate keys used on EFT Server are current. T he P CI DSS HS module checks the key length and expiration date only for the Server's SSL certificates (i.e. administration certificate and site certificates); client certificates (i.e. trusted certificates) are not checked. |