If you’re doing business and collecting payments via credit card, debit card, or other e-commerce options that allow you to store and/or transmit cardholder data, you are subject to PCI DSS compliance regulations.

In an attempt to reduce credit card fraud, the Payment Card Industry Security Standards Council developed an information security standard for those with access to consumers’ transactions and card numbers.  This standard continues to evolve, and is now labeled PCI DSS 2.0.  While the compliance verification process isn’t formal for all organizations, they all must meet the standard to manage liability in case of credit card fraud.

Linoma Software has published a new white paper entitled PCI DSS Compliance with Managed File Transfer that reviews the requirements for PCI DSS 2.0, and explains what role implementing a managed file transfer solution can have in meeting several aspects of the regulations, especially the protection of cardholder data. Download the white paper now, and review other resources available at GoAnywhereMFT.com.

Susan Baird

Susan is the Marketing Manager at Linoma Software, helping promote our secure file transfer and encryption solutions. Her specialty is content creation and social media marketing.

More Posts - Website - Twitter - Facebook - LinkedIn - Pinterest - Google Plus

During the past few years, the media has highlighted a variety of examples of the loss of private information by large companies either by theft or misuse.

One of the reasons for the increased media attention is the renewed focus on establishing and enforcing data breach notification laws which apply to companies that own, lease or store private, personally identifiable information. If that data is exposed to unauthorized use either by accident, cyber attack, employee misconduct, or other causes, most states require companies responsible for protecting that data to announce the data breach and individually notify everyone affected. Some states require that credit agencies are also notified.

For clarification, private data means any information that can be used to identify an individual, including sensitive information such as a credit card number, social security number, or health related data.

There are a few exceptions to having to report the data breach. If the compromised files were encrypted while in transit across the Internet or stored on stolen backup tapes, for example, it is unlikely that the files could be unencrypted, so the individuals’ privacy isn’t as likely to be compromised.

A company that finds itself dealing with a data breach learns quickly that the process is not just embarrassing and costly (sending notifications, providing free credit reports, etc.), it can also damage the company’s hard-earned reputation resulting in the loss of customers. The point is that companies are responsible – and legally liable — for the information that is in their hands.

Securing File Transfers

Most companies use FTP (file transfer protocol) to send data files back and forth to their trading partners, vendors, remote employees, etc. Most often, FTP is used to send files that are too large to email.

However, file transfers like these are captured and compromised by data thieves on the Internet every day — unless security procedures have been put into place to safeguard the files’ data.

Companies need to implement procedures that secure both an in-motion process (files in transit over the Internet) and an at-rest process (files stored on servers or backup tapes). SFTP and FTPS protocols both secure the file while in motion by encrypting the communication link between two systems during the file transfer. PGP encrypts the file itself, protecting it while at rest on the server or backup tapes.

When addressing the challenge of sending ad-hoc files that are too big to email, finding a managed file transfer solution that includes a secure mail feature can mean the difference between an accidental data breach and a successfully delivered file.

Implementing these security procedures is a significant step organizations can take to greatly reduce their risk of data breach, and therefore their exposure to the financial liability and the loss of confidence of their customers and trading partners.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

Regardless of industry or job title, most employees who sit at a computer screen all day have, at one time or another, needed to email a file that was too big to send.  For most people outside of IT, that posed a significant obstacle.

Take Betsy, for example. How could Betsy in Marketing send the CEO’s requests for changes to the annual report back to the ad agency if the file was too large to attach to an email?   Fax it, maybe?  So old school!

Betsy is eager to do a good job and meet expectations, and hates depending on someone else to help her do something she perceives should be relatively easy to do — like send a file as an email attachment.  Therefore, because her boyfriend told her something about FTP-something, she uses a search engine and finds a host of FTP tools she can download for free that promise to solve her problem quickly and easily.  Score!

Free FTP tools, browser apps, and cloud-based storage, oh my!

This scenario is replicated in thousands of companies every day.  Employees download FTP tools or use FTP features that “come with” their browser, and they rejoiced believing that their file transfer problems were solved.   Others created accounts on cloud-based file storage systems where they uploaded files and then sent an invitation to the recipient to download the file using a specific link.

Unfortunately, while a free FTP tool downloaded from the Internet might solve an immediate need, it often creates a host of other problems, and many of them go unnoticed because IT administrators are unaware that this is happening.

Here are just a few of the challenges for the IT staff:

• Who has what tool installed on which machine?
• Who provides support for these tools if there’s a problem with a file transfer?
• How are the file transfers secured to prevent data breach?
• Who is monitoring what data is being transferred, by whom, to which recipients, and for what purpose?
• How is the receipt of the documents confirmed?
• How will compliance auditors view this approach to ad-hoc file transfers?

There’s no easy solution — or is there?

Company policies could dictate a variety of solutions.  They could block the download of any apps to individual desktops at work, and/or require people who need to do ad-hoc file transfers to register the tool and the relevant login data with the IT department for approval.  They could require that anyone who needed to send a large file make a formal request to the IT department and wait for someone there to send it via the company’s official FTP software or managed file transfer solution. They could require all staff to sit through mandatory training to deter them from continuing this practice.

A more effective approach might be implementing a secure mail tool.  A trustworthy secure mail system will keep the files that need to be transferred stored securely within the organization’s network, and will allow authorized users to email a unique link to a trading partner that they would use to access and download the files via an HTTPS secure channel.

Most of the cloud-based file storage systems provide a similar approach, allowing users to store their files and then invite others to view or download them using a link.

There are critical differences, though, between a secure mail system and the cloud-based apps.  Most importantly, secure mail gives control back to an organization’s IT administrators so they can track file transfers and maintain audit logs, both of which are required by most compliance regulations such as HIPAA, PCI DSS, SOX and GLBA.  A secure mail system that is controlled by the IT staff can ensure that file transfer policies are followed, and can include additional security features such as requiring additional password protection, applying link expiration dates, and other features.

Bottom line

Most organizations want efficient workflows, employees who feel empowered to do what it takes to meet expectations, and assurances that the data they store and transfer is insulated from external threats.  A secure mail ad-hoc file transfer solution seems like a smart way to accomplish all of those goals.

GoAnywhere Services just released a new Secure Mail module, so check it out.

Susan Baird

Susan is the Marketing Manager at Linoma Software, helping promote our secure file transfer and encryption solutions. Her specialty is content creation and social media marketing.

More Posts - Website - Twitter - Facebook - LinkedIn - Pinterest - Google Plus