0

Our application needs to a handle a file with credit card information (Assume credit card number) from an external system through an FTP interface. This is a flat file (text). We need to process the data based on some business rules and then need to foward it to another external System through an FTP interface. Aslo our application needs to keep a copy of the inbound file and the outbound file.

So, inorder to comply with PCI-DSS guide lines, is it enough to encrypt the file using GnuGP or do we need to encrypt the data elements (like CC number) individually and then encrypt the file?

Thanks and Regards, San

kallada
  • 1,829
  • 4
  • 33
  • 64
  • 2
    I think this may be off-topic because it is about legal matters and not software development at all. – Jens Erat Jan 18 '15 at 11:24
  • 1
    In terms of PCI-DSS there is no requirement to encrypt the elements individually.You cannot use FTP, use SFTP/FTPS at the very least. You are entering the realm of card storage and this question relates to about 0.5% of what you will need to do to be compliant, key management with your 3rd party alone will be burdensome to get right. – Alex K. Jan 18 '15 at 17:22
  • Thanks a lot Alex. As far as I understood, GnuGP is not compliant with PCI DSS since split key management is an issue. Does my understanding is correct? – kallada Jan 19 '15 at 01:58
  • Or gpgsplit will do the magic for me – kallada Jan 19 '15 at 02:43

1 Answers1

2

Unfortunately encrypting data does not remove it from PCI scope, and does relatively little to mitigate the PCI compliance requirements. If you're not the one processing the transactions -- that is, you're not the one with a merchant account -- then PCI compliance isn't your problem, but in that case, whichever of your business partners (the people you get the data from, or send it to?) is probably out of compliance because of you storing card numbers and thus falling within their scope.

Hunter Green
  • 91
  • 7