PCI DSS 2.0 Makes for Smarter Data Transfer Security

Tuesday, October 19, 2010 – Ipswitch File Transfer, Inc., an innovator of secure, managed file transfer solutions, today identified five key changes to the Payment Card Industry Data Security Standard (PCI DSS 2.0) standard that will substantially affect businesses transferring sensitive credit card data.  The final draft of the standard will be released on October 28. However, the substance of many changes is now clear, whilst working groups on emerging technologies continue to report on forthcoming inclusions in the standard. “The impending changes reflect developments in technology, the cost pressures on businesses and the development of smart, accepted practices,” explained Jonathan Lampe, VP of Product Management at Ipswitch and representative on the PCI Community Council. “Around fifty of our customers, from all over the world, are represented on the council.  The emphasis has been on identifying what’s secure and what works best.” Key changes forthcoming in PCI DSS 2.0, that will impact on the transfer of sensitive data include: Explicit recognition of SFTP  as a secure protocol Audit of virtual machine infrastructure and virtualisation hypervisors will be brought within the scope of PCI DSS. Rotation requirements for the purposes of key management will be “based on industry best practices and guidelines” rather than an annual stipulation. Identity and authentication requirements for users, “non-consumers” and administrators will be split further. More specific requirements will be implemented around the auditability and security of timekeeping, especially as recorded in audit logs.  (Coordinated and reliable timestamps are helpful during civil and criminal investigations as well as internal forensics investigations.) In addition, Lampe identifies the expected incorporation of tokenization technologies, into official PCI s...

Data: Transferring the Burden Under PCI DSS

GT News have just published a great article written by Jonathan Lampe (Vice President of Product Management at Ipswitch) regarding data transfer requirements under PCI DSS.  If anyone is looking for a PCI DSS compliant solution for file transferring data, these are the points they really need to be taking into consideration: Data: Transferring the Burden Under PCI DSS Jonathan Lampe, Ipswitch – 08 Jun 2010 Despite widespread adoption of Simple Object Access Protocol (SOAP) and transaction sets in the financial industry, a surprising high percentage of the data flow is still represented by files or bulk data sets. In 2009, Gartner determined that bulk data transfers comprise around 80% of all traffic. This is probably a surprise if your company is among the many with millions invested in just managing individual transactions – but there are good management and security reasons for this continuing situation. Why is File Transfer Still Common? Financial institutions and item processors are still ‘FTP’ing’ (file transfer protocol), emailing, or sending and sharing files instead of transactions for a number of reasons. First, it helps hide the complexity of systems on both ends – there is no reliance and concern regarding libraries of transactions and responses related to one system and a different set related to another system. Second, it reduces the risk of transmission failure and makes it less risky for employees to send a small number of files or bulk data sets rather than a large number of transactions. Finally, it also increases the reliability of an overall operation. The Managed File Transfer Industry The managed file transfer (MFT) industry is comprised...

Positive results for Pro2col and co-exhibitors at Infosecurity

We made the decision to attend Infosecurity for the first time this year, with the intent of affirming Pro2col’s position as the UK’s leading supplier and integrator of secure file transfer technologies, with a range of carefully selected products designed to meet the requirements of any business.  Spurred by the formation of partnerships with some of the world’s leading secure file transfer vendors including Aspera, Ipswitch, Data Expedition, Biscom and Stonebranch, we were fortunate enough have experts from two vendors on the Pro2col stand, ready to impart their extensive product knowledge to attendees from around the world. In customary form, after spending months meticulously planning for Infosec, the days leading up to the show were a little unsettling for us.  With not one but two co-exhibitors traveling from the US to London, nature decided that the pressure of event organisation was not enough and kindly added a humongous ash cloud to the mix – leaving us wondering whether or not half of our stand would actually make the event! Despite initial concerns over travel arrangements (everyone made it thankfully – even if a little jet lagged), we are excited to say that the show was a great success for all parties involved.  With over 10 years experience within the file transfer arena, we can empathise with how daunting the broad spectrum of solutions in this marketplace can be for businesses when sourcing the most suitable solution for their requirements.  Both resellers and end users alike were very receptive to the impartial file advice and product demonstrations offered by Pro2col representatives, but also pleased to benefit from specialist product information...

Half a million reasons to beware!

Today was the day that the ICO’s got the power to fine companies for data breaches with the amendments to the Data Protection Act finally coming into force.  With the UK somewhat behind some of the EC this brings us closer in line with the the European Commissions E-privacy directive that the UK signed up to some years ago to uphold the privacy of individuals and specifically personally identifiable data.  A lot has been written about this subject but what does it mean and how does it affect your business? If your business stores/holds personally identifiable data about individuals, that data is now governed by the Data Protection Act.  If your company has personally identifiable data your company is legally obliged to register themselves with the ICO and appoint one or more a Data Controllers within your organisation.  It is then that persons responsibility to ensure that all personally identifiable data is stored and distributed in a secure manner.  This affects both the data stored within the organisation but the bit we get involved in is the ‘distribution’ or the data, to third parties, customers, suppliers, remote offices or remote workers.  This data now needs to be secure & managed file transfer so that you have a complete audit trail of who sent what, to whom and when – also providing information on when the information was downloaded and if possible where they were when it was downloaded.  Simply put you need to know what’s happening with your data at all times! Why should I go and implement new systems, who’s going to know it was me?  Well you could take this approach...

Healthcare Industry Beware!

Recent reports have highlighted that hospitals and physicians in the US have been given a deadline of 2015, to convert all health records into digital form and then, to deploy the accompanying technology to handle these digital assets.  Considering only about a quarter of the US population’s health records are digitally stored – this is a bit of a tall order! Makes you wonder whether, no lets rephrase that, WHEN the UK will follow in their footsteps.  For those organisations operating in the health sector, it may be wise to start reviewing the security and efficiency of you’re file transfer systems now, especially when you take into account the increased ICO powers of enforcement due to come into effect on 6th April 2010.  If a similar mandate were to come into force in the UK, in order to avoid possible fines of up to £500,000 organisations would need ensure that sensitive client files were secured when being transported between locations. If your a healthcare organisation and you want to review or evaluate your large file transfer processes, please get in touch with the team at Pro2col on 0333 123 1240.  We offer a comprehensive range of secure file transfer solutions and we’re always happy to...

Email Attachment Management – The Future of Ad Hoc File Transfer

Email is probably the best known and most widely used internet service in the marketplace to date.  With an estimate quarter of the worlds population on the internet and a total of 418,029,796 users in Europe (over 50%), figures indicate that 92% of these users either send or read email.  As technology progresses and file sizes increase, moving data between geographically isolated locations has become more challenging.  Many businesses rely predominately on email for their daily communications and operations but unfortunately, it is being used for purposes it was neither designed nor intended to cope with.  Using email for ad hoc file transfer can cause huge problems for businesses in terms of  cost, efficiency and reliability. So if we can’t email large attachments, what can we do?  Introducing our latest white paper; Email Attachment Management – The Future of Ad Hoc File Transfer, which is available for download now.  It addresses the issues surrounding the ad hoc transmission of large files and details how email attachment management solutions enable businesses to email large attachments, minus the problems associated with standard email. If you would like to discuss any of your file transfer requirements ad hoc or otherwise, please contact Pro2col on 0333 123 1240, we are always happy to...