SolarWinds^® Serv-U^® Managed File Transfer (MFT) Server meets the inbound/outbound traffic and data at rest requirements in the Payment Card Industry (PCI) Data Security Standard (DSS) version 3.2 through the use of an architecture that uses Serv-U Gateway as a reverse proxy. It also meets other PCI DSS 3.2 requirements as detailed below.

• Serv-U Gateway is the Serv-U reverse proxy.
• Both Serv-U and Serv-U Gateway can be clustered for HA.

This guide will help you deploy Serv-U MFT Server, so you can better handle cardholder data or use the software within the Cardholder Data Environment (CDE). Many PCI DSS items are related to your internal policy and procedures (and have thus been omitted here), but others are applicable to software, such as Serv-U MFT Server.

This requirement is designed to limit network risk. Your Serv-U MFT Server implementation helps by restricting protocols.

1.1 - Plan and document the firewall and router configuration.

As Serv-U MFT Server will be transporting cardholder data, it’s considered part of the CDE’s security architecture. You should document your configuration settings for Serv-U MFT Server itself as part of this requirement. Additionally, you must update both the internet request connecting firewall and the demilitarized zone (DMZ) to the internal network firewall to allow the protocols for Serv-U MFT Server use.

Consult the Serv-U MFT Server firewall/router configuration guide for our current recommendations.

1.1.2 - Update your network diagram to include the ports into and out of Serv-U MFT Server.

1.1.3 - Update your current data flow diagram that shows all cardholder data flows across systems and networks. If Serv-U MFT Server moves cardholder data, you should update this diagram.

1.2 - Restrict connections between untrusted networks.

Use Serv-U Gateway to terminate inbound connections in the DMZ. Block connections from the Serv-U Gateway to the internal network. All data moved to the internal network should be initiated from trusted Serv-U MFT Server clients on the internal network.

1.3 - Prohibit direct access from the internet.

For transferring cardholder data, deploy the Serv-U Gateway in the DMZ to eliminate direct access between the internet and CDE system components.

1.3.4 - Do not allow unauthorized outbound traffic from the CDE to the internet.

By configuring the Serv-U MFT Server to route all cardholder data transfers via the Serv-U Gateway in the DMZ, you simplify the network topology and limit the pathways for cardholder data. This reduces the risk of unauthorized outbound traffic.

Default passwords are a commonly exploited vulnerability, which is why they have their own requirement.

2.1 - Change vendor defaults.

A standard best practice is to change default administrative passwords to lock down the administrative ports. Serv-U MFT Server offers additional protections, such as configurable limits on client connections to mitigate the risk of client password brute forcing.

2.2.1 - Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server.

2.2 - Develop configuration standards for all system components. Ensure these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.

Serv-U MFT Server software’s architecture limits the exposed network interfaces and shrinks the available attack surface. Additionally, the Serv-U Gateway allows you to omit the server name and version passed through in SSH configurations. This reduces the risk of leaking identification information through probing tools.

2.3 - Encrypt all remote administrative access.

Serv-U MFT Server uses HTTPS, which is designed to help secure its remote administrative access. Deprecated SSL protocols are not recommended for use on Serv-U MFT Server. See the PCI DSS 3.2 encryption guidance in the following SolarWinds article on THWACK^®: Using Managed File Transfer With PCI Cardholder Data.

Because cybercriminals have evolved their techniques, defensive requirements have to adapt as well. Serv-U MFT Server can assist by helping ensure data isn’t stored in vulnerable locations.

3.1 - Enforce data retention and disposal.

Serv-U MFT Server offers robust policy-driven data retention and automatic deletion options. Policies can be set based on file size, time, and type. Additional controls include event-triggered deletion, which automatically deletes files upon download.

3.2 - Do not store sensitive authentication data after authorization (even if encrypted).

The Serv-U Gateway can be configured to prevent any cardholder data from being stored in the DMZ.

3.5 - Protect cryptographic keys

All Serv-U MFT Server encryption keys are stored in encrypted format (discussed further below).

This requirement focuses on helping to assure data is not transmitted in plain text form. Serv-U MFT Server supports a variety of encryption options.

4.1 - Use strong cryptography and security protocols to safeguard sensitive data during transmission.

Serv-U MFT Server is designed to support several secure transmission protocols, including FTPS, SFTP and HTTPS. Serv-U MFT Server offers FIPS 140-2 validated cryptography and supports NIST 800-52 recommended TLS configurations. For an extensive review of cryptography selection for PCI 3.2, see the Using Managed File Transfer with PCI Cardholder Data THWACK post

4.2 - Never send sensitive data using end-user messaging technologies.

When using Serv-U MFT Server for your PCI cardholder data transfer needs, no cardholder data is transferred from the CDE to business partners or for further processing using end-user messaging. Messaging protocols such as email are configurable and only used for alerts or activity messaging, never for data transfer.

5.1 - Deploy antivirus software.

Serv-U MFT Server works with major antivirus software packages to process transferred data files. You can configure the antivirus processing to launch and scan before, during, or just after data transmission.

This requirement focuses on assurance for systems and applications. Many data breaches occur because of unpatched systems.

6.2 - Help ensure system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.

Our security vulnerability remediation strategy prioritizes developing patches or workarounds for identified vulnerabilities. We also update our knowledge base with information about major vulnerabilities relevant to our Serv-U MFT Server functions, even if Serv-U MFT Server is not vulnerable.

This requirement focuses on authorization. Serv-U MFT Server offers a variety of authorization options.

7.1 - Limit access to system components and cardholder data to only those individuals whose job requires access.

7.1.1 - Define access requirements for each role.

Serv-U MFT Server integrates with your Active Directory, domain, and other authentication infrastructure to help ensure provisioning and deprovisioning activities apply immediately to Serv-U MFT Server authentication and authorization processes.

Additionally, Serv-U MFT Server provides a hierarchical membership model with complete flexibility to create authorization roles necessary to support the proper handling of cardholder data.

7.2 - Establish an access control system(s) for system components that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed.

7.2.2 - Assign privileges to individuals based on job classification and function.

Serv-U MFT Server provides an access control system with separate read, write, list, and delete rights, plus extra quota, bandwidth, and alerts for all, groups of users, or specific users. These fine-grained access rights are inheritable from group templates, helping ensure users receive only the rights and privileges they need to complete their assigned responsibilities.

7.2.3 - Default “deny-all” setting.

The default privilege level can be set to limited or no access by using inheritable templates.

Authentication precedes authorization, and Serv-U MFT Server offers a number of authentication integrations and options.

8.1.1 - Assign unique IDs.

Serv-U MFT Server can support integration directly to your Active Directory or LDAP identity provisioning system. This helps guarantee IDs are individual and deprovisioned automatically, limiting the risk of an unauthorized user retaining access.

8.2 - Use passwords or strong authentication.

Serv-U MFT Server supports both single-factor and multifactor authentication using passwords and client keys.

8.3 - Use two-factor authentication for remote access.

Serv-U MFT Server supports two-factor authentication using passwords and a client key. Client keys can be generated using a built-in Serv-U MFT Server key generator, or imported from third-party solutions.

8.4 - Managing authentication.

Serv-U MFT Server uses protocols like FTPS, SFTP, and HTTPS.

Serv-U MFT Server is designed to store passwords as transformed by secure hashing techniques to help ensure plaintext passwords aren’t stored on Serv-U MFT Server. User passwords are encrypted in transit to help ensure they cannot be snooped as part of connecting to Serv-U MFT Server.

8.5 - Enforce proper user management and use automation when available.

Serv-U MFT Server includes several identity and access management features, including enforced password strength, password reuse, and password resets. In addition, Serv-U MFT Server can automatically age, send notifications about, and shut down old user accounts. Serv-U MFT Server encourages the customization of login banners to communicate authentication procedures and policies. Serv-U permits customization of banners to communicate authentication procedures and policies. Serv-U MFT Server can be configured to automatically lock out clients after too many login attempts.

This requirement is relevant for physical access restrictions, such as for data centers, and not applicable to Serv-U installation since it does not provide a physical environment.

This requirement focuses on assurance through monitoring. By generating sufficient log data, accidental and intentional misuse can be quickly identified.

10.1 - Implement audit trails to link all access to system components to each individual user.

Serv-U MFT Server logs are extensive and can be configured to generate log entries for all activities. These logs can be integrated into a SIEM solution, such as SolarWinds Security Event Manager (SEM). SolarWinds Security Event Manager is designed to take further actions on log activity that could be a sign of security vulnerability or a compliance violation, which produces detailed reports to demonstrate continuous compliance for auditors.

10.3 - Help ensure user ID, event type, time stamp, success/failure, origination, and target ID appear in log entries.

Each of these elements—user ID, event type, time stamp, success/failure, origination, and target ID—is included in log entries generated by Serv-U MFT Server.

10.4 - Synchronize clocks on multiple systems.

Serv-U MFT Server supports time synchronization performed through local Windows and Linux operating systems.

10.7 - Retain logs for a certain amount of time.

Serv-U MFT Server includes automatic log rotation and retention settings for each domain. The administrator can configure these settings to help the administration establish this aspect of PCI compliance.

This requirement supports the integrity of the CDE though automated and process-based testing. Serv-U MFT Server supports this by providing verifiable executables as part of the Serv-U MFT Server deployment. Serv-U MFT Server installation files and executables are signed with an X.509 certificate to help detect unauthorized modifications or deployment of compromised software.

Serv-U MFT Server software uses additional internal integrity checks to help ensure files it depends on are valid.

Serv-U MFT Server uses FIPS 140-2 cryptography, which means an internal “self test” is performed during the initialization of cryptography components to detect and prevent tampering.

Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers

A.1 - Protect each entity’s hosted environment and data.

Serv-U MFT Server supports and is frequently deployed as a multi-homed system, where separate groups of administrators control their own domains (users, folders, permissions, etc.), and each domain is a separate logical unit.

Serv-U MFT Server also supports virtualization technology such as VMware where operating system units are used to separate different business units, partners, or customers.