Ryan, Thanks for your input. I have been gently pushing those who make the decisions here towards sftp for some time now; however, ultimately that is one decision that is out of my hands. According to the inspector that is doing our PCI inspection the only requirement we haven't met as reguards to our FTP server is the one for locking out an account that has failed 3 times in a row. Personally I think that this requirement is rather dumb and adds little to security, but we have to do what the inspector wants if we want certification. I have told my supervisor of your thoughts as to encrypted passwords (or the lack of in FTP) so we'll see if that helps.
Thanks again, stuart >You mean besides the fact that you're running FTP at all, right? >- PCI requires that all passwords are encrypted in transmission, and FTP > doesn't do this. >- Depending on how you interpret the wording, PCI either prohibits or > strongly discourages the use of FTP from 'untrusted' networks/hosts > >Consider replacing your FTP solution with scp/sftp. > >-Ryan
