THE INFORMATION IN THIS ARTICLE APPLIES TO:
- EFT Server, version 6.x and later
Can EFT make my organization compliant?
GlobalSCAPE’s products can facilitate compliance with several industry and government requirements, but Globalscape’s products themselves do not "make" an organization compliant. For example, EFT provides features that warn you when a setting does not meet certain PCI DSS requirements, which you can then choose to address or not.
How can I validate whether my organization is PCI DSS compliant?
Validation requirements for PCI DSS compliance depend on the merchant or organization’s tier. Some tiers require only that the organization complete a self-assessment questionnaire. Organizations that process many transactions will typically pay a Qualified Security Assessor (QSA) to evaluate whether the organization complies with all requirements for systems in PCI DSS scope as part of a mandatory quarterly scan. To further complicate matters there is no black-and-white standard by which a QSA will assess an organization; it’s up to the QSA to interpret the PCI DSS requirements the way they understand them. This can result in situations where two different QSAs will come up with different assessments even for the same organization! Interestingly, the final authority on compliance is still the payment card vendors (Visa, MC, Amex, etc.) who reserve the right to overrule a QSA’s assessment. The self-assessment questionnaire (in the PCI DSS Quick Reference Guide) is a good start to determine how far out of compliance you might be and what it will take to get you into compliance.
Refer to https://kb.globalscape.com/KnowledgebaseArticle11478.aspx for details of how EFT addresses each PCI DSS requirement.
For more information about the PCI DSS, refer to the PCI SSC Data Security Standards Overview.