AES (“Advanced Encryption Standard”) is an open encryption standard that offers fast encryption at 128-bit, 192-bit and 256-bit strengths. AES is a symmetric encryption algorithm often used today to secure data in motion in both SSH and SSL/TLS.  (After a symmetric key exchange is used to perform the handshake in an SSH or SSL/TLS session,[..]


ANSI X.9 (or “ANSI/X.9”) is a group of standards commonly used with bulk data transmissions in item processing and Fed transfers. An example of an ANSI X.9 standard is “ANSI X9.100-182-2011” which covers how XML can be used to deliver bulk data and images. Published ANSI standards may include some technical artifacts such as XML[..]


AS2 (“Applicability Statement 2”) is an SMIME-based transfer protocol that uses HTTP/S to transmit files with end-to-end encryption and guaranteed delivery/non-repudiation (when MDNs are in use). There are two main reasons that AS2-based transmission systems are unpopular unless specifically requested by particular partners are complexity and cost. In terms of complexity, AS2 configurations can involve[..]

AS2 Optional Profiles

AS2 optional profiles (also “optional AS2 profiles”) are features built into the AS2 protocol but not used by every Drummond certified vendor.  However, the Drummond Group does validate seven different optional profiles (nine total) and these are briefly covered below. Certificate Exchange Messaging (CEM) – A standard way of exchanging certificates and information about how[..]


B2B (“business to business”) is a market definition (a “space”) that covers technology and services that allow file and other transmissions to be performed between businesses (i.e., not between consumers).  B2B covers a lot of conceptual ground, from simple “file transfer” and “secure file transfer” to more sophisticated “managed file transfer” and up through traditional[..]


A Bank Identifier Code (BIC) is an 8 or 11 character ISO code used in SWIFT transactions to identify a particular financial institution.   (BICs are also called “SWIFT addresses” or “SWIFT codes”.)  The format of the BIC is determined by ISO 9362, which now provides for unique identification codes for both financial and non-financial organisations.[..]

Certification (Software and Systems)

Certification of software and systems against a standard is better than having software and systems merely in “compliance” with a standard.  Certification means that a third-party agency such as NIST or the PCI Council has reviewed and tested the claim of fidelity to a standard and found it to be true.  Certifying agencies will usually[..]

Certification (Training)

Individuals working in the file transfer industry frequently have earned one or more certifications through training and testing.  These certifications generally fall into one of three categories: File Transfer Security Certification: (ISC)2 and SANS certified individuals have a good understanding of security from a vendor-neutral point of view.  (CISSP is an (ISC2)2 certification; CCSK is[..]

Check 21

“Check 21” is the common name for the United States’ Check Clearing for the 21st Century Act, a federal law enacted in 2003 that enabled banks to phase out paper check handling by allowing electronic check images (especially TIFF-formatted files) to serve all the same legal roles as original paper checks. Check 21’s effect on[..]


“Compliance” to a standard is weaker than “validation” or “certification” against a standard.  Compliance indicates that a vendor recognizes a particular standard and has chosen to make design decisions that encompass most, if not all, of the standard. When a vendor has implemented all of the required standard, that vendor will frequently upgrade their statement[..]


CRC (“cyclic redundancy check”) is an early data integrity check standard (a.k.a. “hash”).  Most CRC codes are 32-bit numbers and are usually represented in hexadecimal format (e.g., “567890AB”). CRC was commonly used with modem-based data transfer systems because it was cheap to calculate and fast on early computers.   Its use carried over into FTP software[..]

Data Controller

This is the individual within an organisation who is responsible for the data. The data controller defines the data collected and the reasons for processing.

Data Portability

Under GDPR, individuals have the right to have their personal data transferred to another system or organisation.

Data Processor

Someone who processes data on behalf of the Data Controller.

Data Protection Act

The Data Protection Act of 1998 was brought into force on March 1st 2000. Introduced to give UK citizens the right to access personal information held by ‘data controllers’ (any individual within an organisation handling personal data) within the United Kingdom, the Data Protection Act also details principles concerning the way in which this sensitive[..]

Data Protection Impact Assessment (DPIA)

This is a document that describes the nature of the data, the purpose of the transfer, how it is performed and the security configuration. A DPIA is a key requirement of GDPR.


DES (“Digital Encryption Standard”) is an open encryption standard that offers weak encryption at 56-bit strength.  DES used to be considered strong encryption, but the world’s fastest computers can now break DES in near real time.  A cryptographically valid improvement on DES is 3DES (“Triple DES”) – a strong encryption standard that is still in[..]

Drummond Certified

In the file transfer industry, “Drummond Certified” typically indicates that the AS2 implementation in a particular software package has been tested and approved by the Drummond Group. Most file transfer protocols follow RFCs, and AS2 is no exception.  (AS2 is specified in RFC 4130, and the “MDNs” AS2 relies on are specified in RFC 3798). [..]

Drummond Group

The Drummond Group is a privately held test laboratory that is best known in the file transfer industry as the official certification behind the AS2 standard.  See “Drummond Certified” for more information about the AS2 certification. The Drummond Group also offers AS1 and ebXML validation, quality assurance and other related services.


The European Committee for Banking Standards (“ECBS”) was a standards body that focused on European banking technology and infrastructure.  It was formed in 1992 and disbanded in 2006; it has since been replaced by the European Payments Council. It is still common to see references to the ECBS in GSIT and PeSIT documentation.

European Payments Council

The European Payments Council (“EPC”) coordinates European inter-banking technology and protocols, particularly in relation to payments.  In 2011 the EPC boasted that it processed 71.5 billion electronic payment transactions. The EPC assumed all the former duties of the European Committee for Banking Standards (“ECBS”) in 2006.  It is now the major driver behind the Single[..]


The FDIC (“Federal Deposit Insurance Corporation”) directly examines and supervises more than 4,900 United States banks for operational safety and soundness.  (As of January 2011, there were just less than 10,000 banks in the United States; about half are chartered by the federal government.) As part of its bank examinations, the FDIC often inspects the[..]


The FFIEC (“Federal Financial Institutions Examination Council”) is a United States government regulatory body that ensures that principles, standards, and report forms are uniform across the most important financial regulatory agencies in the country. The agencies involved include the Federal Reserve (“the Fed”), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA),[..]

FIPS 140-2

FIPS 140-2 is the most commonly referenced cryptography standard published by NIST.  “FIPS 140-2 cryptography” is a phrase used to indicate that NIST has tested a particular cryptography implementation and found that it meets FIPS 140-2 requirements. Among other things, FIPS 140-2 specifies which encryption algorithms (AES and Triple DES), minimum bit lengths, hash algorithms[..]


FTP (“File Transfer Protocol”) is the granddaddy of all modern TCP-based file transfer protocols. The default port for FTP is Port 21. Regardless of your personal feelings or experiences with this venerable and expansive protocol, you must be fluent in FTP to be effective in any modern file transfer situation because all other protocols are[..]

FTPS File Transfer

FTPS File Transfer, FTP Secure or FTP-SSL as it can be referred to, is a secure means of sending data over a network. Often misidentified as SFTP (an independent communications protocol in its own right), FTPS describes the sending of data using basic FTP run over a cryptographic protocol such as SSL (Secure Socket Layers) or TLS (Transport Layer Security).  The default port[..]

General Data Protection Regulation (GDPR)

GDPR is a stringent set of security measures relating to how and where personal data is collected, handled and used. Individuals can request to have their data deleted, see what data is held about them and provide consent as to how their data can be used. To download a copy of our whitepaper please click[..]

Gramm-Leach-Bliley (GLBA)

The Gramm-Leach-Bliley Act of 1999, also known as The Financial Modernisation Act, details regulations that financial institutions must be adhered to, in order to protect consumers’ financial information. The GLBA law governs all financial institutions that hold what is classed as ‘personal data’ including, insurance companies, security firms, banks, credit unions and retailers providing credit[..]

HTTPS File Transfer

HTTPS file transfer describes the combination of HTTP (Hypertext Transfer Protocol) and a secure protocol such as SSL or Transport Layer Security (TLS). It is used to send sensitive data over unsecured networks, for example the Internet. These individual protocols operate on different levels of the ‘network layer’, derived from the TCP/IP model to create[..]


IPv6 is the name of the networking protocol which is rapidly replacing the use of IPv4 in wake of widespread IPv4 exhaustion.  IPv6 is defined in 1998’s RFC 2460. IPv6 addresses are written in “colon notation” like “fe80:1343:4143:5642:6356:3452:5343:01a4” rather than the “dot notation” used by IPv4 addresses such as ”″.  IPv6 DNS entries are[..]

ISO 27001

ISO 27001 is an Information Security Management Standard (ISMS), published in October 2005 by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) Essentially an updated version of the old BS7799-2 standard, ISO 27001 provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System[..]


LDAP is a type of external authentication that can provide rich details about authenticated users, including email address, group membership and client certificates. LDAP connection use TCP port 389 but can (and should) be secured with SSL.  When LDAP is secured in this manner, it typically uses TCP port 636 and is often referred to[..]


LDAPS refers to LDAP connections secured with SSL, typically over TCP port 636. See “LDAP” for more information.


MD4 (“Message Digest [algorithm] #4”) is best known as the data integrity check standard (a.k.a. “hash”) that inspired modern hashes such as MD5, SHA-1 and SHA-2.  MD4 codes are 128-bit numbers and are usually represented in hexadecimal format (e.g., “9508bd6aab48eedec9845415bedfd3ce”). Use of MD4 in modern file transfer applications is quite rare, but MD4 can be[..]


MD5 (“Message Digest [algorithm] #5”) is the most common data integrity check standard (a.k.a. “hash”) used throughout the world today.  MD5 codes are 128-bit numbers and are usually represented in hexadecimal format (e.g., “9508bd6aab48eedec9845415bedfd3ce”). MD5 was created in 1991 as a replacement for MD4 and its popularity exploded at the same time use of the[..]


NIST (“National Institute of Standards and Technology”) is a United States based standards body whose influence on the file transfer industry is felt most heavily through its FIPS 140-2 encryption and hashing standard.  It is also the keeper of many other security standards which must be met if file transfer technology is used in or[..]


PCI stands for “Payment Card Industry”.  In file transfer, “PCI compliance” frequently refers to a deployed system’s ability to adhere to the standard outlined in “PCI DSS” – a security regulation for the credit card industry.  “PCI certification” is achieved when a PCI compliant system is audited by a PCI Council-approved firm and that third-party[..]

PCI Council

The “PCI Council” is a short name for “PCI Security Standards Council”, the vendor-independent consortium behind PCI (“Payment Card Industry”) standards.


The “PCI DSS” (PCI Data Security Standard) is a credit card industry security standard. It is currently on version 2.0.

PCI Security Standards Council

The PCI Security Standards Council is the vendor-independent consortium behind the PCI (“Payment Card Industry”) standards.


PeSIT is an open file transfer protocol often associated with Axway. Like Sterling Commerce’s proprietary NDM file transfer protocol, PeSIT has now been written into the standard communication specifications of several industry consortiums and government exchanges, thus ensuring a high degree of long-term dependence on Axway technology. PeSIT is required far more often in Europe[..]


PGP (“Pretty Good Privacy”) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications.


RADIUS is an authentication protocol that supports the use of username, password and sometimes one extra credential number such as a hardware token PIN. In file transfer applications, RADIUS sign on information can be collected by web-based, FTP-based or other file transfer prompts and then tried against trusted RADIUS servers.  When a file transfer application[..]

SFTP File Transfer

SFTP file transfer or the ‘SSH file transfer protocol’ as it is more formally known, is a network communications protocol used for sending data securely over a network. A common misconception associated with SFTP is that it uses FTP run over SSH – this is not the case. SFTP, sometimes referred to as ‘secure file[..]


SHA-2 (“Secure Hash Algorithm #2”) is the most secure hash algorithm NIST currently supports in its FIPS validated cryptography implementations.  SHA-2 is really a collection of four hashes (SHA-224, SHA-256, SHA-384 and SHA-512), all of which are stronger than SHA-1. Complete SHA-2 implementations in file transfer are still uncommon but becoming more common as time[..]


SHA-224 is the 224-bit component of the “SHA-2” data integrity check standard (a.k.a. “hash”).  It is not a unique hash algorithm within the SHA-2 standard but is instead a truncated version of SHA-256. See “SHA-2” for more information.


SHA-256 is the 256-bit component of the “SHA-2” data integrity check standard (a.k.a. “hash”).  Like SHA-512, it is one of two unique algorithms that make up a SHA-2 hash, but SHA-256 is optimized for 32-bit calculations rather than 64-bit calculations. See “SHA-2” for more information.


SHA-3 refers to the new hash algorithm NIST will choose to someday replace SHA-2.   A contest to select the new hash is scheduled to conclude in 2012.


SHA-384 is the 384-bit component of the “SHA-2” data integrity check standard (a.k.a. “hash”).  It is not a unique hash algorithm within the SHA-2 standard but is instead a truncated version of SHA-512. See “SHA-2” for more information.


SHA-512 is the 512-bit component of the “SHA-2” data integrity check standard (a.k.a. “hash”).  Like SHA-256, it is one of two unique algorithms that make up a SHA-2 hash, but SHA-512 is optimized for 64-bit calculations rather than 32-bit calculations. See “SHA-2” for more information.

SSH File Transfer

SSH (Secure Shell) is a network protocol used to establish a secure connection between a client and server. Once a connection has been established, it acts like an encrypted tunnel down which data can be exchanged securely. SSH file transfer is used to maintain the confidentiality and integrity of data communications over insecure networks such[..]


SSL (“Secure Sockets Layer”) was the first widely-deployed technology used to secure TCP sockets.  Its use in HTTPS (HTTP over SSL) allowed the modern age of “ecommerce” to take off on the world wide web and it has also been incorporated into common file transfer protocols such as FTPS (FTP over SSL) and AS2. In[..]

Subject Access Requests (SARs)

Under GDPR, the data subject has the right to request all personal data a data controller has on them. This includes their supply chain.


TLS (“Transport Layer Security”) is the modern version of SSL and is used to secure TCP sockets.  TLS is specified in RFC 2246 (version 1.0), RFC 4346 (version 1.1) and RFC 5246 (version 1.2).  When people talk about connections “secured with SSL”, today TLS is the technology that’s really used instead of older editions of[..]

Triple DES

3DES (also “Triple DES”) is an open encryption standard that offers strong encryption at 112-bit and 168-bit strengths. 3DES is a symmetric encryption algorithm often used today to secure data in motion in both SSH and SSL/TLS.  (After asymmetric key exchange is used perform the handshake in a SSH or SSL/TLS sessions, data is actually[..]


Software, systems and processes that are “validated” against a standard are typically better than those merely in “compliance” with a standard.  Validation means that a third-party agency such as NIST or the PCI Council has reviewed and tested the claim of fidelity to a standard and found it to be true.  Validating agencies will usually[..]

X.509 Certificate

An X.509 certificate is a high-security credential used to encrypt, sign and authenticate transmissions, files and other data.  X.509 certificates secure SSL/TLS channels, authenticate SSL/TLS servers (and sometimes clients), encrypt/sign SMIME, AS1, AS2, AS3 and some “secure zip” payloads, and provide non-repudiation to the AS1, AS2 and AS3 protocols. The relative strength of various certificates[..]