Encrypted upload of PosPay file

It is the picky auditor, in order for an attacker to get access to the file at that time they have to have access to your network. Which means they have access to pretty much everything else. So what's stopping them from just getting into your DB directly?" Or Epicor? Encrypting the file on creation is just a minor inconvenience if the attacker already has your network...


Jose C Gomez
Software Engineer


T: 904.469.1524 mobile

Quis custodiet ipsos custodes?

On Mon, Mar 30, 2015 at 2:56 PM, psiebers@... [vantage] <vantage@yahoogroups.com> wrote:

Â
<div>
  
  
  <p>I checked with the bank, and they are happy to oblige with SFTP.  The only problem now is that the file is vulnerable right after it is generated, as it is a .txt file.  Even though the folder it gets saved to has tight security permissions, it still does not pass muster.  It might just be the picky auditor...</p>

</div><span class="ygrps-yiv-881198611">
 


<div style="color:#fff;min-height:0;"></div>


All,


Just wondering if someone has faced this requirement before and how to solve it:


We got dinged on a recent security audit on not transmitting our PosPay and ACH files encrypted to the bank.  What the auditor wants to see is the .txt file being generated and encrypted, then transferred to the bank who will then decrypt it and process it.  I guess SFTP and some form of PGP is involved, but I have a hard time finding anything online that helps me going...


TIA,


Paul

This can be done but only if the bank supports it

On Mar 30, 2015 10:05 AM, "psiebers@... [vantage]" <vantage@yahoogroups.com> wrote:

Â
<div>
  
  
  <p><p><span></span></p><p>All,</p><p><br></p><p>Just wondering if someone has faced this requirement before and how to solve it:</p><p><br></p><p>We got dinged on a recent security audit on not transmitting our PosPay and ACH files encrypted to the bank.  What the auditor wants to see is the .txt file being generated and encrypted, then transferred to the bank who will then decrypt it and process it.  I guess SFTP and some form of PGP is involved, but I have a hard time finding anything online that helps me going...</p><p><br></p><p>TIA,</p><p><br></p><p>Paul</p>

</div>
 


<div style="color:#fff;min-height:0;"></div>

Also it seems kind of silly to encrypt the file. If you can get the bank to do sftp or https to do the upload them there is no need to encrypt the file before hand. The only time that file could be compromised would be during transfer and sftp or https would mitigate that.
I guess someone could breach your internal network and mess with the file, but if they are in your network no amount of encryption will matter they'll have access to they keys too.
So I say check with the bank for sftp or https transfer of the file and that should put you in compliance

On Mar 30, 2015 12:07 PM, "Jose Gomez" <jose@...> wrote:

This can be done but only if the bank supports it

On Mar 30, 2015 10:05 AM, "psiebers@... [vantage]" <vantage@yahoogroups.com> wrote:

Â
<div>
  
  
  <p><p><span></span></p><p>All,</p><p><br></p><p>Just wondering if someone has faced this requirement before and how to solve it:</p><p><br></p><p>We got dinged on a recent security audit on not transmitting our PosPay and ACH files encrypted to the bank.  What the auditor wants to see is the .txt file being generated and encrypted, then transferred to the bank who will then decrypt it and process it.  I guess SFTP and some form of PGP is involved, but I have a hard time finding anything online that helps me going...</p><p><br></p><p>TIA,</p><p><br></p><p>Paul</p>

</div>
 


<div style="color:#fff;min-height:0;"></div>
I checked with the bank, and they are happy to oblige with SFTP.  The only problem now is that the file is vulnerable right after it is generated, as it is a .txt file.  Even though the folder it gets saved to has tight security permissions, it still does not pass muster.  It might just be the picky auditor...