AD (pronounced “ay, dee”) is an abbreviation for Microsoft Active Directory, a very common external authentication system used in the file transfer industry to centralise authentication, user account information and access control. See “Active Directory” for more information.

Ad-Hoc File Transfer

The term “ad hoc” or “person to person” file transfer is better described as someone wanting to send a file to another person, generally on a ‘one-off’ basis. To elaborate, let’s set the scene. It’s 5.30 pm on a Friday afternoon. You have been working on a really important proposal for a new client that’s[..]


AES (“Advanced Encryption Standard”) is an open encryption standard that offers fast encryption at 128-bit, 192-bit and 256-bit strengths. AES is a symmetric encryption algorithm often used today to secure data in motion in both SSH and SSL/TLS.  (After a symmetric key exchange is used to perform the handshake in an SSH or SSL/TLS session,[..]


AndFTP is a free, full-featured, interactive FTP client for Android smartphones and devices.   It was created by Lysesoft, a company specialising in Android phone file transfer client development. AndFTP offers support for FTP, FTPS, SFTP and can remember a large number of connection profiles.  FireFTP does not yet (as of version 2.4) support integrity checks[..]


ANSI X.9 (or “ANSI/X.9”) is a group of standards commonly used with bulk data transmissions in item processing and Fed transfers. An example of an ANSI X.9 standard is “ANSI X9.100-182-2011” which covers how XML can be used to deliver bulk data and images. Published ANSI standards may include some technical artifacts such as XML[..]


AS1 (“Applicability Statement 1”) is an SMIME-based transfer protocol that uses plain old email protocols (such as SMTP and POP3) to transmit files with end-to-end encryption and guaranteed delivery/non-repudiation (when MDNs are in use). End-to-end encryption is accomplished through the use of asymmetric encryption keyed with the public and private parts of properly exchanged X.509[..]


AS2 (“Applicability Statement 2”) is an SMIME-based transfer protocol that uses HTTP/S to transmit files with end-to-end encryption and guaranteed delivery/non-repudiation (when MDNs are in use). There are two main reasons that AS2-based transmission systems are unpopular unless specifically requested by particular partners are complexity and cost. In terms of complexity, AS2 configurations can involve[..]

AS2 Optional Profiles

AS2 optional profiles (also “optional AS2 profiles”) are features built into the AS2 protocol but not used by every Drummond certified vendor.  However, the Drummond Group does validate seven different optional profiles (nine total) and these are briefly covered below. Certificate Exchange Messaging (CEM) – A standard way of exchanging certificates and information about how[..]


AS3 (“Applicability Standard 3”) is an SMIME-based transfer protocol that uses FTP/S to transmit files with end-to-end encryption and guaranteed delivery/non-repudiation (when MDNs are in use). AS3 is an unpopular implementation of the AS2 protocol.  Many vendors successfully sell software that supports AS2 but not AS1 or AS3.  However, AS3’s design as an FTP-based protocol[..]

Automated File Transfer

Automated file transfer is a term used to describe the programmatic movement of files. Typically automated business processes exist for system to system transfers either inside an organisation or between trading partners and are usually file based. Businesses usually look to adopt fully featured solutions to replace legacy scripts or unreliable manual processes reducing support[..]


B2B (“business to business”) is a market definition (a “space”) that covers technology and services that allow file and other transmissions to be performed between businesses (i.e., not between consumers).  B2B covers a lot of conceptual ground, from simple “file transfer” and “secure file transfer” to more sophisticated “managed file transfer” and up through traditional[..]


A Bank Identifier Code (BIC) is an 8 or 11 character ISO code used in SWIFT transactions to identify a particular financial institution.   (BICs are also called “SWIFT addresses” or “SWIFT codes”.)  The format of the BIC is determined by ISO 9362, which now provides for unique identification codes for both financial and non-financial organisations.[..]

Certificate Spill

Accidental “certificate spill” is a common problem in file transfer security.   It occurs when an untrained or careless individual accidentally sends the private key associated with a public/private certificate pair to someone who only needs the public component. Certificate spill is a dangerous problem because it exposes credentials that allow unauthorised individuals to act with[..]

Certification (Software and Systems)

Certification of software and systems against a standard is better than having software and systems merely in “compliance” with a standard.  Certification means that a third-party agency such as NIST or the PCI Council has reviewed and tested the claim of fidelity to a standard and found it to be true.  Certifying agencies will usually[..]

Certification (Training)

Individuals working in the file transfer industry frequently have earned one or more certifications through training and testing.  These certifications generally fall into one of three categories: File Transfer Security Certification: (ISC)2 and SANS certified individuals have a good understanding of security from a vendor-neutral point of view.  (CISSP is an (ISC2)2 certification; CCSK is[..]

Check 21

“Check 21” is the common name for the United States’ Check Clearing for the 21st Century Act, a federal law enacted in 2003 that enabled banks to phase out paper check handling by allowing electronic check images (especially TIFF-formatted files) to serve all the same legal roles as original paper checks. Check 21’s effect on[..]

Clear Text Password

A “clear text password” is a common problem in file transfer security.   It is a dangerous problem because it exposes credentials that allow unauthorised individuals to act with the identity and permission of trusted individuals and systems. The problem happens in at least five different areas: Clear text password during input: This problem occurs when[..]

Community Management

“Community Management” is a marketing term used to describe technology and services that use external authentication technology to provision (or “onboard“) users or partners using rich profile definitions and which allows users and partners to maintain elements of their own profiles (e.g., contacts, email addresses, member users with limited rights, etc.). File transfer and/or EDI[..]


“Compliance” to a standard is weaker than “validation” or “certification” against a standard.  Compliance indicates that a vendor recognizes a particular standard and has chosen to make design decisions that encompass most, if not all, of the standard. When a vendor has implemented all of the required standard, that vendor will frequently upgrade their statement[..]

Control File

A control file is a special file that is sent along with one or more data files to tell applications that handle the data files how to handle them.  Control files are typically created by the same application that original sends files into a file transfer system. The most common type of control file is[..]

Core FTP

Core FTP is a secure FTP software brand that includes a free desktop FTP client (Core FTP LE), a commercial FTP client (Core FTP Pro) and an FTP server (Core FTP Server).


CRC (“cyclic redundancy check”) is an early data integrity check standard (a.k.a. “hash”).  Most CRC codes are 32-bit numbers and are usually represented in hexadecimal format (e.g., “567890AB”). CRC was commonly used with modem-based data transfer systems because it was cheap to calculate and fast on early computers.   Its use carried over into FTP software[..]

Cut-Off Time

In file transfer operations, a cut-off time is a specific time of day a processor must receive a batch or file by so processing can begin on that day.   The processor, not the sender, decides the cut-off time. For example, if a processer publishes a cut-off time of 5pm, then a file received at 4:59pm[..]

Cyber Liability

Cyber liability is the risk posed by conducting business over the Internet, over other networks or using electronic storage technology.  Insurance can be bought and “risk based” security strategies can be used to mitigate against both the first- and third-party risks caused by cyber liability. A “first party” cyber liability occurs when your own information[..]


Cyberduck is a free open source file transfer client for Windows and Macintosh desktops. Cyberduck offers support for FTP, FTPS, SFTP, Amazon S3, Rackspace Cloud Files, Google Storage for Developers and Amazon Cloud Front.  Cyberduck features sychronization across multiple server types and support for many languages. Cyberduck’s official site is  It is licensed under[..]

Data Controller

This is the individual within an organisation who is responsible for the data. The data controller defines the data collected and the reasons for processing.

Data Portability

Under GDPR, individuals have the right to have their personal data transferred to another system or organisation.

Data Processor

Someone who processes data on behalf of the Data Controller.

Data Protection Act

The Data Protection Act of 1998 was brought into force on March 1st 2000. Introduced to give UK citizens the right to access personal information held by ‘data controllers’ (any individual within an organisation handling personal data) within the United Kingdom, the Data Protection Act also details principles concerning the way in which this sensitive[..]

Data Protection Impact Assessment (DPIA)

This is a document that describes the nature of the data, the purpose of the transfer, how it is performed and the security configuration. A DPIA is a key requirement of GDPR.


DEP is sometimes used an abbreviation for “Data Exchange Partner”.


DEPCON is the common name for the Unisys Distributed Enterprise Print Controller software.  This software is often deployed in financial data centers that use it to break apart and distributed aggregated reports.  As more and more print jobs moved to electronic distribution formats, file transfer technology was frequently applied to either handle incoming report batches[..]


Deprovisioning is the act of removing access from and freeing up resources reserved by end users and their file transfer workflows.  Rapid removal of access upon termination or end of contract is key to any organisation. Freeing up of related resources (such as disk space, certificates, ports, etc.) is also important, but often follows removal[..]


DES (“Digital Encryption Standard”) is an open encryption standard that offers weak encryption at 56-bit strength.  DES used to be considered strong encryption, but the world’s fastest computers can now break DES in near real time.  A cryptographically valid improvement on DES is 3DES (“Triple DES”) – a strong encryption standard that is still in[..]

Document Definition

In file transfer, a “document definition” typically refers to a very specific, field-by-field description of a single document format (such as an ACH file) or single set of transaction data (such as EDI’s “997” Functional Acknowledgement). Document definitions are used in transformation maps and can often be used outside of maps to validate the format[..]

Double Post

A “double post” is the act of sending a file in for processing twice on a production system. Most operators consider a “double post” to be far worse than a missing file or missing transmission, because files sent in for internal processing often cannot be cleanly backed out.  Double post violations involving hundreds or thousands[..]

Drummond Certified

In the file transfer industry, “Drummond Certified” typically indicates that the AS2 implementation in a particular software package has been tested and approved by the Drummond Group. Most file transfer protocols follow RFCs, and AS2 is no exception.  (AS2 is specified in RFC 4130, and the “MDNs” AS2 relies on are specified in RFC 3798). [..]

Drummond Group

The Drummond Group is a privately held test laboratory that is best known in the file transfer industry as the official certification behind the AS2 standard.  See “Drummond Certified” for more information about the AS2 certification. The Drummond Group also offers AS1 and ebXML validation, quality assurance and other related services.


EAI is short for “Enterprise Application Integration“, a methodology which balances seamless experience across heterogeneous enterprise applications and datasets of various origins, scope and capability with the need to make major changes to those applications or datasets.  


The European Committee for Banking Standards (“ECBS”) was a standards body that focused on European banking technology and infrastructure.  It was formed in 1992 and disbanded in 2006; it has since been replaced by the European Payments Council. It is still common to see references to the ECBS in GSIT and PeSIT documentation.

Electronic Data Interchange (EDI)

EDI is a computer-to-computer exchange of business documents. This exchange is based on a standard electronic format which allows business partners to interact.

Enterprise Application Integration

Enterprise Application Integration (“EAI”) is a methodology which balances seamless experience across heterogeneous enterprise applications and datasets of various origins, scope and capability with the need to make major changes to those applications or datasets. Today, EAI often uses ESB (“Enterprise Service Bus”) infrastructure to allow these various applications to communicate with each other.  Before[..]

Enterprise Service Bus

An Enterprise Service Bus (“ESB”) is a modern integration concept that refers to architectural patterns or specific technologies designed to rapidly interconnect heterogeneous applications across different operating systems, platforms and deployment models. ESBs include a set of capabilities that speed and standardise a Service-Oriented Architecture (“SOA”), including service creation and mediation, routing, data transformation, and[..]


ESB is short for “Enterprise Service Bus“, a modern integration technology used to quickly tie heterogeneous applications across different operating systems, platforms and deployment models.  

European Payments Council

The European Payments Council (“EPC”) coordinates European inter-banking technology and protocols, particularly in relation to payments.  In 2011 the EPC boasted that it processed 71.5 billion electronic payment transactions. The EPC assumed all the former duties of the European Committee for Banking Standards (“ECBS”) in 2006.  It is now the major driver behind the Single[..]

External Authentication

External authentication is the use of third-party authentication sources to decide whether a user should be allowed access to a system, and often what level of access an authenticated user enjoys on a system. In file transfer, external authentication frequently refers to the use of Active Directory (AD), LDAP or RADIUS servers, and also refer[..]

Extreme File Transfer

Here at Pro2col we’re increasingly being asked by our clients to help them move large data sets. The amount of data as everyone knows is increasing in size, as are file sizes. It is now common in our discussions to talk about files of many Gigabytes in size. The challenge this presents however is how[..]


The FDIC (“Federal Deposit Insurance Corporation”) directly examines and supervises more than 4,900 United States banks for operational safety and soundness.  (As of January 2011, there were just less than 10,000 banks in the United States; about half are chartered by the federal government.) As part of its bank examinations, the FDIC often inspects the[..]

Federal Reserve

The Federal Reserve (also “the Fed”) is the central bank of the United States.  It behaves like a regulatory agency in some areas, but its main role in the file transfer industry is as the primary clearinghouse for interbank transactions batched up in files.  Nearly every bank or bank service center has a file transfer[..]


The FFIEC (“Federal Financial Institutions Examination Council”) is a United States government regulatory body that ensures that principles, standards, and report forms are uniform across the most important financial regulatory agencies in the country. The agencies involved include the Federal Reserve (“the Fed”), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA),[..]

FIPS 140-2

FIPS 140-2 is the most commonly referenced cryptography standard published by NIST.  “FIPS 140-2 cryptography” is a phrase used to indicate that NIST has tested a particular cryptography implementation and found that it meets FIPS 140-2 requirements. Among other things, FIPS 140-2 specifies which encryption algorithms (AES and Triple DES), minimum bit lengths, hash algorithms[..]

FIPS 140-3

FIPS 140-3 will soon replace FIPS 140-2 as the standard NIST uses to validate cryptographic libraries. The standard is still in draft status, but could be issued in 2011. FIPS 140-2 has four levels of security: most cryptographic software uses “Level 1” and most cryptographic hardware uses “Level 3”.  FIPS 140-3 expands that to five[..]

FIPS Compliant

“FIPS compliant” is a slippery phrase that often indicates that the cryptography used in a particular solution implements some or all the algorithms specified in FIPS 140-2 (e.g., AES) but that the underlying cryptography component has not been validated by NIST laboratories. “FIPS validated” is much stronger statement.

FIPS Validated

“FIPS validated” is a label that indicates that the cryptography used in a particular solution implements some or all the algorithms specified in FIPS 140-2 (e.g., AES) and that the underlying cryptography component has been validated by NIST laboratories.  See “FIPS compliant” for a weaker statement.


Mozilla’s Firefox is a free, open source web browser that offers a similar browsing experience across a wide variety of desktop operating systems, including Windows, Macintosh and some Linux variants. As of December 2010, Firefox held about 30% of the desktop browser market, making it the #2 browser behind Internet Explorer.  Firefox uses an aggressive[..]


Mime Čuvalo’s FireFTP is a free, full-featured, interactive FTP client that plugs into Mozilla Firefox as an add-on. FireFTP offers support for FTP, FTPS, SFTP and can remember a large number of connection profiles.  FireFTP supports integrity checks using MD5 and SHA1, file compression on the fly (i.e., “MODE Z”), support for most FireFox platforms,[..]

Firewall Friendly

A file transfer protocol that is “firewall friendly” typically has most or all of the following attributes: 1) Uses a single port 2) Connects in to a server from the Internet 3) Uses TCP (so session-aware firewalls can inspect it) 4) Can be terminated or proxied by widely available proxy servers For example: Active-mode FTP[..]


FTP (“File Transfer Protocol”) is the granddaddy of all modern TCP-based file transfer protocols. The default port for FTP is Port 21. Regardless of your personal feelings or experiences with this venerable and expansive protocol, you must be fluent in FTP to be effective in any modern file transfer situation because all other protocols are[..]

FTP File Transfer

The FTP File Transfer Protocol is a method used to transfer files from one computer to another through a network whether that’s an internal network (from one computer to another within the same network) or more commonly a Wide Area Network such as the Internet. An FTP site is a server, hosted on the Internet[..]

FTP with PGP

The term “FTP with PGP” describes a workflow that combines the strong end-to-end encryption, integrity and signing of PGP with the FTP transfer protocol.  While FTPS can and often should be used to protect your FTP credentials, the underlying protocol in FTP with PGP workflows is often just plain old FTP. BEST PRACTICE: (If you[..]

FTPS File Transfer

FTPS File Transfer, FTP Secure or FTP-SSL as it can be referred to, is a secure means of sending data over a network. Often misidentified as SFTP (an independent communications protocol in its own right), FTPS describes the sending of data using basic FTP run over a cryptographic protocol such as SSL (Secure Socket Layers) or TLS (Transport Layer Security).  The default port[..]

General Data Protection Regulation (GDPR)

GDPR is a stringent set of security measures relating to how and where personal data is collected, handled and used. Individuals can request to have their data deleted, see what data is held about them and provide consent as to how their data can be used. To download a copy of our whitepaper please click[..]

Gramm-Leach-Bliley (GLBA)

The Gramm-Leach-Bliley Act of 1999, also known as The Financial Modernisation Act, details regulations that financial institutions must be adhered to, in order to protect consumers’ financial information. The GLBA law governs all financial institutions that hold what is classed as ‘personal data’ including, insurance companies, security firms, banks, credit unions and retailers providing credit[..]

HTTP File Transfer

HTTP File Transfer (Hypertext File Transfer Protocol) is a set of rules for exchanging files on the World Wide Web. HTTP defines how messages are formatted and sent, as well as the actions web servers and browsers should take in response to commands. A browser is used to send an HTTP command to a web[..]

HTTPS File Transfer

HTTPS file transfer describes the combination of HTTP (Hypertext Transfer Protocol) and a secure protocol such as SSL or Transport Layer Security (TLS). It is used to send sensitive data over unsecured networks, for example the Internet. These individual protocols operate on different levels of the ‘network layer’, derived from the TCP/IP model to create[..]

Internal Controls

In file transfer, the term “internal controls” refers to both technology and manual (human-performed) procedures used to mitigate against risk.  Examples of typical internal technology include firewalls, secure file transfer software and standalone encryption packages.  Examples of manual internal control procedures include background checks, “multiple signer” document approval workflows and training to steer people away[..]

Internet Protocol Suite

The Internet Protocol Suite is a term used to describe the set of communication protocols, developed individually by the IT community, for sending data over computer networks such as the Internet. TCP (Transmission Control Protocol) and IP (Internet Protocol) were the first two protocols included in the Internet Protocol Suite and are the basis from[..]


IPv6 is the name of the networking protocol which is rapidly replacing the use of IPv4 in wake of widespread IPv4 exhaustion.  IPv6 is defined in 1998’s RFC 2460. IPv6 addresses are written in “colon notation” like “fe80:1343:4143:5642:6356:3452:5343:01a4” rather than the “dot notation” used by IPv4 addresses such as ”″.  IPv6 DNS entries are[..]

ISO 27001

ISO 27001 is an Information Security Management Standard (ISMS), published in October 2005 by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) Essentially an updated version of the old BS7799-2 standard, ISO 27001 provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System[..]

LAN (Local Area Network)

LAN is the abbreviation used to describe a Local Area Network. The term “Local Area Network” refers to a computer network that covers a small physical area, usually confined to one building or a small group of buildings e.g. a home network or a business network. A LAN is usually implemented to connect local workstations,[..]


The term latency is an expression for the period of time taken to send a data packet from a source to the intended destination, the higher the latency the slower the data transmission. This incorporates all elements of the file sending process – including encoding, transmission, and decoding. Certain delivery protocols such as FTP are[..]


LDAP is a type of external authentication that can provide rich details about authenticated users, including email address, group membership and client certificates. LDAP connection use TCP port 389 but can (and should) be secured with SSL.  When LDAP is secured in this manner, it typically uses TCP port 636 and is often referred to[..]


LDAPS refers to LDAP connections secured with SSL, typically over TCP port 636. See “LDAP” for more information.

Leased Line

A leased line is a dedicated, communications line set up between 2 end points by a telecommunications specialist. Not physical in nature, leased lines are in reality a reserved circuit and do not have a telephone number, each side of the circuit being permanently connected to the other. Leased lines can be used for telephone[..]

Managed File Transfer

Managed file transfer is an industry term used to describe a hardware or software solution that facilitates the movement of large files both inside and outside of the business, whilst maintaining the security and integrity of sensitive data. Although many managed file transfer solutions are built using the FTP file transfer protocol, the phrase was[..]


In file transfer, a “map” is usually short for “transformation map“, which provides a standardised way to transform one document format into another through the use of pre-defined document definitions. See “transformation map” for more information.


In file transfer, a “mapper” is a common name for a “transformation engine” that converts documents from one document definition to another through “transformation maps“. See “transformation engine” for more information.


MD4 (“Message Digest [algorithm] #4”) is best known as the data integrity check standard (a.k.a. “hash”) that inspired modern hashes such as MD5, SHA-1 and SHA-2.  MD4 codes are 128-bit numbers and are usually represented in hexadecimal format (e.g., “9508bd6aab48eedec9845415bedfd3ce”). Use of MD4 in modern file transfer applications is quite rare, but MD4 can be[..]


MD5 (“Message Digest [algorithm] #5”) is the most common data integrity check standard (a.k.a. “hash”) used throughout the world today.  MD5 codes are 128-bit numbers and are usually represented in hexadecimal format (e.g., “9508bd6aab48eedec9845415bedfd3ce”). MD5 was created in 1991 as a replacement for MD4 and its popularity exploded at the same time use of the[..]


An MDN (“Message Disposition Notification”) is the method used by the AS1, AS2 and AS3 protocols (the “AS protocols”) to return a strongly authenticated and signed success or failure message back to the senders of the original file.  Technically, MDNs are an optional piece of any AS protocol, but MDNs’ critical role as the provider[..]

Message-Oriented Middleware

Message-Oriented Middleware (“MOM”) is software that delivers robust messaging capabilities across heterogeneous operation systems and application environments.   Up through the early 2000’s MOM was the backbone of most EAI (“Enterprise Application Integration”) inter-application connectivity.  Today, that role largely belongs to to ESB (“Enterprise Service Bus”) infrastructure instead.    


In file transfer, “metadata” usually refers to information about files moved through a file transfer system.  Examples of metadata include usernames of original submitter, content types, paths taken through the system so far and affirmations of antivirus or DLP checks. Metadata such as suggested next steps is often submitted to file transfer applications in control[..]

Microsoft Cluster Server

Microsoft Cluster Server (“MSCS”) is a Microsoft-specific high availability technology that provides a failover capability to pairs of its servers. Like “web farm”, the term “clustering” is a vendor-neutral term, but every vendor that does clustering does it a little differently, and provides cluster services at different levels (typically at the hardware, OS or application[..]


Middleware is a software architecture concept that refers to integration of disparate applications to facilitate reliable communication.  Middleware frequently relies on encapsulating inter-application communications in the concept of an “message”, and often has the ability to queue or perform optimized delivery or copying of messages to various applications. Common types of middleware include EAI (“Enterprise[..]


In the context of file transfer, MOM stands for “Message-Oriented Middleware“, which is software that delivers robust messaging capabilities across heterogeneous operation systems and application environments.  


MSCS is an abbreviation for “Microsoft Cluster Server“, which is a Microsoft-specific high availability technology that provides a failover capability to pairs of its servers.


The NCUA (“National Credit Union Administration”) is like the FDIC for credit unions.  It provides insurance to credit unions and expects a solid level of operations in return.   It provides regulations and audits member credit unions for fitness. The NCUA’s official web site is See also: “FFIEC” (umbrella regulation, including state chartered banks), “FDIC”[..]

Network Layer

The concept of a network layer or ‘layered network’, was developed to account for the rapid changes that occur in technology. This concept allowed for the inclusion of newly developed protocols to work alongside one another to achieve a specified task, for example a secure file transfer. The Higher layers of a network are closer[..]


NIST (“National Institute of Standards and Technology”) is a United States based standards body whose influence on the file transfer industry is felt most heavily through its FIPS 140-2 encryption and hashing standard.  It is also the keeper of many other security standards which must be met if file transfer technology is used in or[..]


Non-repudiation (also “nonrepudiation”) is the ability to prove beyond a shadow of doubt that a specific file, message or transaction was sent at particular time by a particular party from another party.  This proof prevents anyone from “repudiating” the activity: later claiming that the file, message or transaction was not sent, that it was sent[..]


The OCC (“Office of the Comptroller of the Currency”) is an independent bureau of the United States Treasury Department.  It charters, regulates and supervises all national banks. It also supervises the federal branches and agencies of foreign banks.  In its regulatory role, it is similar to the FDIC. The OCC’s official web site is[..]


OLA is an abbreviation for “Operating Level Agreement“, which is a type of internal agreement between departments that make it possible for file transfer operations to achieve their SLAs (Service Level Agreements). See “Operating Level Agreement” for more information.


To onboard a user or onboard a partner is to set up all the necessary user accounts, permissions, workflow definitions and other elements necessary to engage in electronic transfers of information with those users and partners. Automatic onboarding of users or partners usually involves external authentication technology of some kind.   When that technology involves particularly[..]

Operational Level Agreement

An operational level agreement (OLA) is a less stringent form of service level agreement (SLA) typically set up between two departments in the same organisation, especially when an OLA is set up to help support a customer-facing SLA. See “Service Level Agreement” for more information


Orchestration is the ability to control operational flows and activities based on business rules, especially in multi-application systems complicated enough to require middleware such as ESB (“Enterprise Service Bus”) or the older MOM (“Message-Oriented Middleware”). In the context of a file transfer system, orchestration often refers to the ability to apply automation such as triggers,[..]


The OTS (“Office of Thrift Supervision”) is a United States Treasury Department office that oversees “savings and loans”, particularly those involved in real estate mortgages.  The OTS examines each member institution every 12-to-18 months to assess the institution’s safety and soundness.   In that role, it behaves much like the FDIC does with federally chartered banks.[..]


The term “package” can mean different things in different file transfer situations. “Installation package” – A file that contains all the executables, installation scripts and other data needed to install a particular application.  This file is usually a compressed file and is often a self-extracting compressed file. “Package sent to another person” – Very similar[..]


In the world of IT, packet or packets is the term used to describe a unit of data, such as bytes or characters. When sending data over a network, messages or files are broken down into manageable packets before transmission. These packets can also be referred to as a datagram, a segment, a block, a[..]

Payment Card Industry Data Security Standard (PCI DSS)

The PCI Security Standards Council is an open global forum and was formed in 2006 – the 5 founding global payment brands include: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. A Global Security Standard, PCI DSS comprises of 12 comprehensive requirements designed to enhance the security of cardholder data. The[..]


PCI stands for “Payment Card Industry”.  In file transfer, “PCI compliance” frequently refers to a deployed system’s ability to adhere to the standard outlined in “PCI DSS” – a security regulation for the credit card industry.  “PCI certification” is achieved when a PCI compliant system is audited by a PCI Council-approved firm and that third-party[..]

PCI Council

The “PCI Council” is a short name for “PCI Security Standards Council”, the vendor-independent consortium behind PCI (“Payment Card Industry”) standards.


The “PCI DSS” (PCI Data Security Standard) is a credit card industry security standard. It is currently on version 2.0.

PCI Security Standards Council

The PCI Security Standards Council is the vendor-independent consortium behind the PCI (“Payment Card Industry”) standards.

Personal Data

Personal data means any data that makes a living person identifiable. This could be ‘direct’, such as their name, or ‘indirect’. This is where combined information could identify the person. GDPR refers to special categories or sensitive data. This includes information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership,[..]


PeSIT is an open file transfer protocol often associated with Axway. Like Sterling Commerce’s proprietary NDM file transfer protocol, PeSIT has now been written into the standard communication specifications of several industry consortiums and government exchanges, thus ensuring a high degree of long-term dependence on Axway technology. PeSIT is required far more often in Europe[..]


PGP (“Pretty Good Privacy”) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications.


Provisioning is the act of adding access to and allocating resources to end users and their file transfer workflows.  It is often used interchangeably with the term “onboarding“. The act of provisioning should always be audited, and the audit information should include the identity of the person who authorized the act and any technical actions[..]


QOS stands for “Quality Of Service”.  See “Quality of Service” for more information.

Quality of Service

Quality of Service (or “QOS”) is the ability to describe a particular level of service and then intelligently allocate resources to reliably provide that level of service.  A common example of general QOS capabilities is found in the “traffic shaping” features of routers: different types of traffic (e.g., web surfing, videoconferencing, voice, etc.) share a[..]


RADIUS is an authentication protocol that supports the use of username, password and sometimes one extra credential number such as a hardware token PIN. In file transfer applications, RADIUS sign on information can be collected by web-based, FTP-based or other file transfer prompts and then tried against trusted RADIUS servers.  When a file transfer application[..]


RFI stands for “Request for Information” and is used to ask which products and services are available to meet your file transfer needs and to get information about the firms behind the offerings.   The utility of RFIs in the acquisition of technology declined significantly with the rise of the world wide web, as much of[..]


RFP stands for “Request For Proposal” and allows multiple vendors to suggest a specific solution to your specific challenges in a well-documented and repeatable format. Good responses to a file transfer RFP will answer your questions about: Vendors’ ability to execute (e.g., experience, expertise) Vendors’ position in the industry (e.g., innovator, total solution, value-priced) Products’[..]

Right to Erasure

Under GDPR, the data subject has the right to request erasure of personal data.

Sarbanes Oxley (SOX)

The Sarbanes Oxley Act is a US federal law, enacted on 30th July 2002, governing financial reporting and accountability processes within public companies. The legislation was brought into force as a safeguard, following a succession of corporate accounting scandals, involving a number of high profile organisations. These companies purposefully manipulated financial statements, costing investors billions[..]

Secure File Transfer

Security is of paramount importance in today’s corporate environments, due to the sensitive nature of the information that they hold. Industry standards such as PCI DSS, Sarbanes Oxley and HIPAA dictate an organisation’s responsibility to secure such information and as such, the need for secure file transfer solutions has become a priority. A number of[..]


Self-provisioning is the ability for individual end users and partners to set up (or “provision“) their own accounts. Self-provisioning is a common element of most cloud services but remains relatively rare in file transfer applications.  A major difference between those environments is that self-provisioning in cloud services usually involves linking a credit card or other[..]


The Single Euro Payments Area (SEPA) is an EU initiative to unify payments within the EU.  It is primarily driven by the European Payments Council.  (SEPA is not, by itself, a standard.)

Service Level Agreement

A file transfer service level agreement (SLA) establishes exactly what a particular customer should expect from a particular file transfer provider, and how that customer should seek relief for grievances. A file transfer SLA will often contain the following kinds of service expectations: Availability: This expresses how often the file transfer service is expected to[..]

SFTP File Transfer

SFTP file transfer or the ‘SSH file transfer protocol’ as it is more formally known, is a network communications protocol used for sending data securely over a network. A common misconception associated with SFTP is that it uses FTP run over SSH – this is not the case. SFTP, sometimes referred to as ‘secure file[..]


SHA-1 (“Secure Hash Algorithm #1”, also “SHA1”) is the second most common data integrity check standard (a.k.a. “hash”) used throughout the world today.  SHA-1 codes are 160-bit numbers and are usually represented in hexadecimal format (e.g., “de9f2c7f d25e1b3a fad3e85a 0bd17d9b 100db4b3”). SHA-1 is the least secure hash algorithm NIST currently supports in its FIPS validated[..]


SHA-2 (“Secure Hash Algorithm #2”) is the most secure hash algorithm NIST currently supports in its FIPS validated cryptography implementations.  SHA-2 is really a collection of four hashes (SHA-224, SHA-256, SHA-384 and SHA-512), all of which are stronger than SHA-1. Complete SHA-2 implementations in file transfer are still uncommon but becoming more common as time[..]


SHA-224 is the 224-bit component of the “SHA-2” data integrity check standard (a.k.a. “hash”).  It is not a unique hash algorithm within the SHA-2 standard but is instead a truncated version of SHA-256. See “SHA-2” for more information.


SHA-256 is the 256-bit component of the “SHA-2” data integrity check standard (a.k.a. “hash”).  Like SHA-512, it is one of two unique algorithms that make up a SHA-2 hash, but SHA-256 is optimized for 32-bit calculations rather than 64-bit calculations. See “SHA-2” for more information.


SHA-3 refers to the new hash algorithm NIST will choose to someday replace SHA-2.   A contest to select the new hash is scheduled to conclude in 2012.


SHA-384 is the 384-bit component of the “SHA-2” data integrity check standard (a.k.a. “hash”).  It is not a unique hash algorithm within the SHA-2 standard but is instead a truncated version of SHA-512. See “SHA-2” for more information.


SHA-512 is the 512-bit component of the “SHA-2” data integrity check standard (a.k.a. “hash”).  Like SHA-256, it is one of two unique algorithms that make up a SHA-2 hash, but SHA-512 is optimized for 64-bit calculations rather than 32-bit calculations. See “SHA-2” for more information.


SLA is an abbreviation for “Service Level Agreement“, which is a specific contract between a customer and a provider that lays out exactly what each side can expect from the other.   The minimum amount of work and minimum level of due care that a file transfer operations team is responsible for is often determined[..]


SMTP is an email protocol used to push messages and attachments from server to server.  Many technologies have been used to secure SMTP over the years, but the best technologies available today use SSL (version 3) or TLS to secure the entire SMTP connection. SMTP typically uses TCP port 25 to move unsecured traffic and[..]

SSH File Transfer

SSH (Secure Shell) is a network protocol used to establish a secure connection between a client and server. Once a connection has been established, it acts like an encrypted tunnel down which data can be exchanged securely. SSH file transfer is used to maintain the confidentiality and integrity of data communications over insecure networks such[..]


SSL (“Secure Sockets Layer”) was the first widely-deployed technology used to secure TCP sockets.  Its use in HTTPS (HTTP over SSL) allowed the modern age of “ecommerce” to take off on the world wide web and it has also been incorporated into common file transfer protocols such as FTPS (FTP over SSL) and AS2. In[..]

Subject Access Requests (SARs)

Under GDPR, the data subject has the right to request all personal data a data controller has on them. This includes their supply chain.


The Society for Worldwide Interbank Financial Telecommunication (SWIFT) runs a popular system used by banks around the world to quickly exchange transactions with each other.  Most international interbank messages use this system.  Unlike clearing houses or other institutions that provide intermediate or final settlement of financial transactions, SWIFT is simply a secure transaction service.  Remote[..]

The Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is the abbreviation of ‘The Health Insurance Portability and Accountability Act’. It is a US federal law governing the protection and privacy of sensitive, patient health care information. Proposed in 1996 by Congress, HIPAA was finally brought into enforcement by the Department of Health and Human Services (HHS) in 2001. The objective of HIPAA[..]


TLS (“Transport Layer Security”) is the modern version of SSL and is used to secure TCP sockets.  TLS is specified in RFC 2246 (version 1.0), RFC 4346 (version 1.1) and RFC 5246 (version 1.2).  When people talk about connections “secured with SSL”, today TLS is the technology that’s really used instead of older editions of[..]

Transformation Engine

A translation engine is software that performs the work defined in individual transformation maps. The transformation engines that power transformation maps are typically defined as “single-pass” or “multiple-pass” engines.  Single-pass engines are faster than multiple-pass engines because documents are directly translated from source formats to destination formats, but single-pass engines often require more manual setup[..]

Transformation Map

A transformation map (or just “map”) provides a standardised way to transform one document format into another through the use of pre-defined document definitions. A single transformation map typically encompasses separate source and destination document definitions, a field-by-field “mapping” from the source document to the destination, and metadata such as the name of the map,[..]

Translation Engine

In file transfer, a “translation engine” is a common name for a “transformation engine” that converts documents from one document definition to another through “transformation maps“. See “transformation engine” for more information.

Transmission Control Protocol (TCP)

TCP (Transmission Control Protocol) is one of the two core protocols used in Data Communications, the second core protocol being IP. Part of the Internet Protocol Suite (often referred to as TCP/IP), TCP is a transport layer responsible for higher-level operations. It provides reliable, ordered delivery of data packets between two locations and can also[..]

Transmission Window

A transmission window is a window of time in which certain file transfers are expected or allowed to occur. Transmission windows typically reoccur on a regular basis, such as every day, on all weekdays, on a particular day of the week, or on the first or last day of the month or quarter. Most transmission[..]

Trigger File

A “trigger file” is a common type of control file used to initiate further processing or retransmission.  Trigger files are typically created by the same application that original sends files into a file transfer system. The two most common types of trigger files are files with similar names to the files that need to be[..]

Triple DES

3DES (also “Triple DES”) is an open encryption standard that offers strong encryption at 112-bit and 168-bit strengths. 3DES is a symmetric encryption algorithm often used today to secure data in motion in both SSH and SSL/TLS.  (After asymmetric key exchange is used perform the handshake in a SSH or SSL/TLS sessions, data is actually[..]


Software, systems and processes that are “validated” against a standard are typically better than those merely in “compliance” with a standard.  Validation means that a third-party agency such as NIST or the PCI Council has reviewed and tested the claim of fidelity to a standard and found it to be true.  Validating agencies will usually[..]


VAN stands for “Value Added Network”.  A VAN is a data transfer service that uses EDI and/or file transfer protocols to connect to dozens, hundreds or even thousands of businesses.  VANs are often industry-specific; the ones that are will usually connect to almost every major supplier and consumer within that industry (e.g., auto parts). As[..]


As a somewhat abstract definition, it is crucial to understand the context in which we are using the word ‘virtual’ before moving onto the definition of virtualisation. The term virtual, in this scenario is defined as “computing not physically existing as such but made by software to appear to do so”. Virtualisation as a concept[..]

Web Farm

A “web farm” is a high availability application architecture that is common to many vendors and products.  It usually involves the use of multiple web (HTTP/S) application servers, each serving the same function, and often relying on the use of round-robin session distribution from a network load balancer (NLB).    However, the term is also often[..]

Wide Area Network (WAN)

A network that spans a wide geographical area is referred to as a WAN (Wide Area Network). A WAN consists of a collection of LAN’s (Local Area Networks) connected by a router that maintains both the LAN information and the WAN information. The WAN side of the router will then connect to a communications link[..]


WS_FTP Home was a commercial file transfer client for Windows desktops.  It was in the market for about five years but was retired in favor of a new edition of WS_FTP LE in 2010. WS_FTP Home offered a two-panel user interactive user interface and batch scripts that can be scheduled with Windows scheduler.  The protocols[..]


WS_FTP LE is a free commercial file transfer client for Windows desktops.  The current edition is built on WS_FTP Home‘s code base and was reintroduced to the market in 2010. WS_FTP LE offers a two-panel user interactive interface and its supported protocols are all variants of FTP/S. WS_FTP LE is a stripped down version of[..]

WS_FTP Professional

WS_FTP Professional is a commercial file transfer client for Windows desktops.  It offers a two-panel user interactive interface and batch scripts that can be scheduled with Windows scheduler.  Supported protocols include FTP/S and SFTP, plus proprietary HTTPS connections to MOVEit DMZ. BEST PRACTICE: The WS_FTP clients still constitute one of the most popular desktop FTP[..]

X.509 Certificate

An X.509 certificate is a high-security credential used to encrypt, sign and authenticate transmissions, files and other data.  X.509 certificates secure SSL/TLS channels, authenticate SSL/TLS servers (and sometimes clients), encrypt/sign SMIME, AS1, AS2, AS3 and some “secure zip” payloads, and provide non-repudiation to the AS1, AS2 and AS3 protocols. The relative strength of various certificates[..]