![]() Requirement #4: Encrypt transmission of cardholder data across open, public networks See the PCI DSS 3.2 encryption guidance in the following SolarWinds article on THWACK ®: Using Managed File Transfer With PCI Cardholder Data. Deprecated SSL protocols are not recommended for use on Serv-U MFT Server. Serv-U MFT Server uses HTTPS, which is designed to help secure its remote administrative access. This reduces the risk of leaking identification information through probing tools.Ģ.3 – Encrypt all remote administrative access. Additionally, the Serv-U Gateway allows you to omit the server name and version passed through in SSH configurations. Serv-U MFT Server software’s architecture limits the exposed network interfaces and shrinks the available attack surface. Ensure these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Serv-U MFT Server offers additional protections, such as configurable limits on client connections to mitigate the risk of client password brute forcing.Ģ.2.1 – Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server.Ģ.2 – Develop configuration standards for all system components. Requirement #2: Do not use vendor-supplied defaults for system passwords and other security parametersĭefault passwords are a commonly exploited vulnerability, which is why they have their own requirement.Ī standard best practice is to change default administrative passwords to lock down the administrative ports. This reduces the risk of unauthorized outbound traffic. All data moved to the internal network should be initiated from trusted Serv-U MFT Server clients on the internal network.ġ.3 – Prohibit direct access from the internet.įor transferring cardholder data, deploy the Serv-U Gateway in the DMZ to eliminate direct access between the internet and CDE system components.ġ.3.4 – Do not allow unauthorized outbound traffic from the CDE to the internet.īy configuring the Serv-U MFT Server to route all cardholder data transfers via the Serv-U Gateway in the DMZ, you simplify the network topology and limit the pathways for cardholder data. Block connections from the Serv-U Gateway to the internal network. Use Serv-U Gateway to terminate inbound connections in the DMZ. If Serv-U MFT Server moves cardholder data, you should update this diagram.ġ.2 – Restrict connections between untrusted networks. Additionally, you must update both the internet request connecting firewall and the demilitarized zone (DMZ) to the internal network firewall to allow the protocols for Serv-U MFT Server use.Ĭonsult the Serv-U MFT Server firewall/router configuration guide for our current recommendations.ġ.1.2 – Update your network diagram to include the ports into and out of Serv-U MFT Server.ġ.1.3 – Update your current data flow diagram that shows all cardholder data flows across systems and networks. You should document your configuration settings for Serv-U MFT Server itself as part of this requirement. Your Serv-U MFT Server implementation helps by restricting protocols.ġ.1 – Plan and document the firewall and router configuration.Īs Serv-U MFT Server will be transporting cardholder data, it’s considered part of the CDE’s security architecture. This requirement is designed to limit network risk. Requirement #1: Install and maintain a firewall configuration to protect cardholder data
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |