Submit a ticketCall us

AnnouncementsAre You “Flying Blind?”

When it comes to your complex IT infrastructure, you want to ensure you have a good grasp of what’s going on to avoid any fire drills that result from guesswork. Read our white paper to learn how proactively monitoring your IT environment can help your organization while giving you peace of mind.

Get your free white paper.

Home > Success Center > Serv-U Managed File Transfer & Serv-U FTP Server > Serv-U - Knowledgebase Articles > FTP Server PCI Compliance

FTP Server PCI Compliance

Created by Dhalia Turiaga, last modified by MindTouch on Jun 23, 2016

Views: 1,104 Votes: 0 Revisions: 3


This article provides information about deployment of Serv-U for PCI audit. Many PCI DSS items are related to your policy and procedures (and have thus been omitted here) but many are applicable to software to such as Serv-U.



  • All versions of Serv-U with the following supported OS:
    • Windows Vista/7/8, Server 2008/2012
    • Windows 2000/XP, Server 2000/2003
    • Linux


Serv-U PCI DSS 2.0 Guide

Req #1: Install and maintain a firewall configuration to protect cardholder data

1.1 - Plan and document the firewall and router configuration

1.2 - Restrict connections between untrusted networks

  • Use Serv-U Gateway to terminate inbound connections in the DMZ and avoid any inbound connections to the internal network.

1.3 - Prohibit direct access from the Internet

  • Use Serv-U Gateway to avoid direct access between the Internet and system components in the internal cardholder network, and to avoid exposure of internal IP addresses.

Req #2: Do not use vendor-supplied defaults for system passwords and other security parameters

2.1 - Change vendor defaults

  • Serv-U only uses vendor defaults during unattended installations, and these can be changed after installation.

2.2 - Apply hardening to system components, isolate/minimize functionality

  • Serv-U supports systems hardened to specifications from CIS, ISO, SANS and NIST
  • Serv-U’s tiered architecture isolates interface (e.g., FTPS or HTTPS), application and data layers using Serv-U Gateway, Serv-U and a back-end database or Active Directory.
  • Though it provides web services, Serv-U does not use IIS, Apache, Tomcat or any other general-purpose application server.

2.3 - Encrypt all remote administrative access

  • Serv-U uses HTTPS secured by 128- to 256-bit SSL/TLS to secure its administrative interface.

Req #3: Protect stored cardholder data

3.1 - Enforce data retention and disposal

  • Use Serv-U event-driven automation to delete files as soon as they are downloaded.
  • Use Serv-U’s FTP Voyager JV to manually locate data that exceeds requirements defined in your data retention policy.

3.2 - Avoid storing sensitive information

3.5 - Protect cryptographic keys

  • Serv-U keys are stored in encrypted format.

3.6 - Implement good key management procedures

  • Serv-U permits the creation of 2048 and 4096 bit keys.

Req #4: Encrypt transmission of cardholder data across open, public networks

4.1 - Use strong cryptography and security protocols to safeguard sensitive data during transmission

  • Serv-U supports several secure protocols including FTPS, SFTP and HTTPS.
  • Serv-U uses FIPS 140-2 validated cryptography to ensure fidelity

4.2 - Never send sensitive data by end-user messaging technologies

  • Serv-U uses email but only for “file arrived” and similar notifications (and not data transmission).

Req #5: Use and regularly update anti-virus software and programs

5.1 - Deploy antivirus software

  • Serv-U works with all major antivirus software packages to catch files before, during or just after transmission.

Req #6: Develop and maintain secure systems and applications

6.1 - Stay up to date on your patches

  • Serv-U’s standard updates and support contract, included for one or two years with all new purchases, provides unlimited access to Serv-U patches. See our Recent Features page for our release policy and recent velocity.
  • RhinoSoft is committed to isolating and releasing a supported patch to any confirmed Serv-U security vulnerability in real time. (Serv-U security patches take top development priority.)

6.3 - Develop software in accordance to PCI DSS and industry best practices

  • RhinoSoft staff hold CISSP, CCSK and GSNA certification.
  • Serv-U is developed with PCI DSS and industry best practices in mind.

6.4 - Use separate test and production elements and promote through change control

  • Serv-U permits the import/export of configuration elements such as users between test and production environments.

6.5 - Develop based on secure coding guidelines, test against common vulnerabilities

  • RhinoSoft staff hold CISSP, CCSK and GSNA certification.
  • Serv-U architecture was completely redesigned in 2008 with secure coding in mind.
  • Serv-U code is developed to prevent and tested against common vulnerabilities.

Req #7: Restrict access to cardholder data by business need to know

7.1 - Limit access to specific individuals through automation

  • Serv-U integrates with your Active Directory domain and other authentication infrastructure to ensure that provisioning and deprovisioning activities apply immediately to Serv-U as well.

7.2 - Use fine grained access control and “deny all”

  • Serv-U provides a fine-grained access control system with separate read, write, list and delete rights plus extra quota, bandwidth and alerts for all, groups of users or specific users.

Req #8: Assign a unique ID to each person with computer access

8.1 - Assign unique IDs

  • Serv-U can support anonymous (shared user) access, but it is disabled by default.

8.2 - Use passwords or strong authentication

  • Serv-U supports both single-factor and multi-factor authentication using passwords, and client keys.

8.3 - Use two-factor authentication for remote access

  • Serv-U supports two-factor authentication using passwords plus a client key.

8.4 - Send and store passwords securely

  • Serv-U uses secure protocols like FTPS, FTPS and HTTPS to securely exchange credentials.
  • Serv-U stores keyed password hashes, not passwords, to prevent cleartext storage.

8.5 - Enforce proper user management and use automation when available

  • Serv-U enforces password strength, retention and resets.
  • Serv-U can automatically age, send notifications about and shut down old user accounts.
  • Serv-U permits customization of banners to communicate authentication procedures and policies.
  • Serv-U automatically locks out nuisance clients after too many attempts.

Req #9: Restrict physical access to cardholder data

(not applicable)

Req #10: Track and monitor all access to network resources and cardholder data

10.2 - Implement automated audit trails

  • Serv-U logs are extensive and every activity generates an entry.

10.3 - Ensure user ID, event type, timestamp, success/failure, origination and target ID appear in log entries.

  • These elements appear in Serv-U log entries.

10.4 - Synchronize clocks on multiple systems

  • Serv-U supports time synchronization performed by local Windows and Linux operating systems.

10.7 - Retain logs for a certain amount of time

  • Serv-U includes automatic log rotation and retention settings for each domain.

Req #11: Regularly test security systems and processes

11.5 - Use file integrity utilities

  • Serv-U installation files and executables are signed with an X.509 certificate to help detect unauthorized modifications or deployment of compromised software. See our Unauthorized Use page for more information.
  • Serv-U software uses additional internal integrity checks to ensure that files it depends on are valid.
  • Serv-U uses FIPS 140-2 cryptography, which, in part, means that an internal “self test” is performed during initialization of cryptography components to detect and prevent tampering.

Req #12: Maintain a policy that addresses information security for all personnel.

(not applicable)

Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers

A.1 - Protect each entity’s hosted environment and data

  • Serv-U supports and is frequently deployed as a multi-homed system, where separate groups of administrators control their own domains (users, folders, permissions, etc.), and each domain is a separate logical unit.
  • Serv-U also supports virtualization technology such as VMware where operating system units are used to separate different business units, partners or customers.




Last modified