Our application needs to a handle a file with credit card information (Assume credit card number) from an external system through an FTP interface. This is a flat file (text). We need to process the data based on some business rules and then need to foward it to another external System through an FTP interface. Aslo our application needs to keep a copy of the inbound file and the outbound file.
So, inorder to comply with PCI-DSS guide lines, is it enough to encrypt the file using GnuGP or do we need to encrypt the data elements (like CC number) individually and then encrypt the file?
Thanks and Regards, San
Unfortunately encrypting data does not remove it from PCI scope, and does relatively little to mitigate the PCI compliance requirements. If you're not the one processing the transactions -- that is, you're not the one with a merchant account -- then PCI compliance isn't your problem, but in that case, whichever of your business partners (the people you get the data from, or send it to?) is probably out of compliance because of you storing card numbers and thus falling within their scope.