Take a Proactive Approach to New PCI Standards

For some organizations, the 36 month lifecycle of new Payment Card Industry Data Security Standards (PCI DSS) can be a grueling schedule to tackle. With the release of PCI DSS 3.2 just around the corner, many organizations are trying to estimate the effort required to remain compliant. Wouldn't it be nice if there was a way to predict what was on the minds of the folks on the PCI Security Standard Council before the new standards were released? Well, there just might be a way.

In June, 2015, the Council published a document called The PCI DSS DESV (Designated Entities Supplemental Validation). Inside that document are "extra requirements" which apply to entities requiring "additional validation". These could be organizations that deal with Payment Card Data in large volume, serve as an aggregation point for cardholder data, or suffered significant or repeated breaches.

As folks in the world of security know, defense in depth is a rule we all live by. Extraordinary soon becomes ordinary. Exceptional soon becomes standard. Supplemental soon becomes required.

pci compliant future versionsThrough the DESV, it's possible to glimpse the future of PCI DSS.  By implementing these controls and processes, your organization gains even more protection than what is currently and commonly required. By doing so, you can prepare - to some extent - for the surprises lurking down the road. At the very least, your processes will be better defined and your controls will be more secure. Implementing best practices early could give you the competitive edge you need to respond quickly when those practices become required.

This idea is based on more than just speculation. In a Council blog, "Preparing for PCI DSS 3.2: What to Expect in 2016", posted on February 17, 2016, chief technology officer Troy Leach eluded to some updates in the standard they were considering, which included the following:

  • Multi-factor authentication for administrators
  • Incorporating some of the DESV criteria for service providers
  • Clarifying masking criteria for primary account numbers when displayed
  • Updating migration dates for SSL/early TLS that were published in December 2015

As a developer of enterprise managed file transfer and encryption solutions, Linoma Software remains vigilant in keeping up with the latest PCI DSS standards so we can help organizations to protect their most sensitive data assets and meet compliance requirements.

SHA-2 and TLS Security for AS2 Transfers

2016 is a pivotal year for organizations to upgrade the security used to protect their AS2 data transfers. In order to be compliant with the latest security standards, you need to be using a modern AS2 solution.

The End of SHA-1

SHA-1 (Secure Hash Algorithm) is a cryptographic hash algorithm created by the NSA and published in 1995. SHA-1 takes a message of any length and produces a 160-bit message digest. The message digest verifies the integrity of the message by comparing the hash that was calculated before and after message transmission. For example, the hash of a transmitted file is compared against the hash of the file before it was sent. If the hash values are the same, the file was not tampered with. If the hash values are different, the file was altered during transmission. In 2005, attacks have demonstrated the security in SHA-1 is weaker than intended, and a more secure SHA-2 standard was created. SHA-2 is actually a family of hash functions with hash values of 224, 256, 384, or 512 bits. Due to the stronger hash algorithms in SHA-2, Federal agencies have been directed to stop using SHA-1 and must use SHA-2. 2016 is the year software vendors are completing their migration to SHA-2. Google Chrome has begun displaying warning messages for SHA-1 certificates with expiration dates past January 1, 2016, and Microsoft instructed Certificate Authorities to stop issuing SHA-1 certificates earlier this year. Major organizations, like UPS, are requiring their AS2 trading partners to use SHA-2.


Transport Layer Security is a protocol that encrypts communications between client applications and servers. TLS is the successor to the Secure Sockets Layer (SSL) protocol version 3.0, and uses more advanced methods for message authentication, better alerting for problem certificates, and more robust cipher suites. After the POODLE vulnerability was discovered in late 2014, companies that are still using SSL instead of TLS are leaving themselves open to man-in-the-middle exploits. Google and Mozilla have already phased out the support of SSL 3.0 in Chrome and Firefox, and trading partners are demanding companies support TLS for AS2 transfers.

SHA-2 and TLS migration

GoAnywhere MFT fully supports SHA-2 and TLS for AS2 transfers. GoAnywhere is certified by the Drummond Group to validate our AS2 solution follows the RFC 4130 standard and is interoperable with other certified products. Using a Drummond Certified solution, and requiring your trading partners do as well, alleviates the challenges of AS2 and ensures your transfers fully meet the latest security standards. For more information on AS2 support in GoAnywhere MFT, visit the pages on our AS2 Client and AS2 Server.

Free FTP Server and Client Helps Businesses Improve Security and Audit File Transfers

GoAnywhere MFT's integrated FTP Server and Client for automating and auditing file transfers is now available as a Free Edition of the enterprise-class Managed File Transfer solution. 

GoAnywhere Managed File Transfer Free FTPThis free FTP software can be installed on a variety of platforms including Windows, Linux, Mac OS, UNIX and IBM i, providing flexibility to organizations of all sizes.  GoAnywhere MFT improves FTP security with features like AD authentication, granular folder permissions, password policies to comply with PCI DSS, brute force and DoS attack monitors, and IP blacklists/whitelists.

"Legacy FTP servers are lacking the security controls, user management and detailed audit logs needed to comply with regulations like PCI DSS and HIPAA" says Bob Luebbe, Chief Architect at Linoma Software.  "With the free edition, any organization can now take advantage of the comprehensive FTP features in GoAnywhere MFT."

Using the free FTP client from GoAnywhere, organizations can add automation to their file transfers.  The ability to schedule transfers and scan for new or modified files on local or remote systems reduces manual processes and the risk of human error.  This saves time and money while improving productivity through reliable data delivery.

The GoAnywhere FTP server makes it possible to set access controls and generate detailed audit logs on all file transfer activity.  This offers a layer of regulatory and policy compliance to organizations currently using FTP to exchange files with trading partners.

GoAnywhere MFT is an on-premise solution that provides centralized control over data access. There are no upfront costs or renewal fees for this fully scalable FTP solution. GoAnywhere MFT can be easily upgraded to meet the changing needs of any business through the purchase of secure file transfer protocols, integrated Open PGP encryption, advanced workflows and in-depth reporting.

This free software installs in minutes and is available for download from the GoAnywhere website at https://www.goanywhere.com/free-ftp.

5 Signs Your Organization is Ready for MFT

Managed File Transfer Levels the Playing Field for SMB

Low-cost file transfer tools allow mid-market businesses to make simple data exchanges both internally and externally.  As your company grows, however, trading partners demand enterprise-level systems to improve reliability and data security. 

cityscape - mft readyManaged File Transfer (MFT) emerged to reduce the cost and programming skills required for you to meet customer requirements and stay competitive in the marketplace. According to an Info-Tech Research Group report on selecting and implementing an MFT solution, there are five signs that indicate your organization could benefit from this technology.

  1. A need for transparency and traceability in file exchange activities
  2. New business relationships mandate adherence to compliance laws and privacy regulations
  3. Traditional methods of sending data, such as FTP, aren't secure
  4. Processes need to be more agile and adapt to changing network conditions
  5. The inability to comply with government reporting requirements

MFT provides comprehensive audit trails and monitoring to document all file transfer activity. Reports generated from this data show every interaction with the files on your server in great detail and allow you to better serve customers by responding quickly when problems do arise.

When security and reporting tools are needed to meet strict regulatory compliance standards of even highly-regulated industries, MFT delivers.  These include the data protection and integrity requirements found in PCI DSS, GLBA, SOX, Dodd-Frank and state privacy laws.

In light of recent high profile data breaches, many organizations have chosen to reduce their risk by seeking alternatives to unsecure FTP.  MFT gives you the flexibility to connect with trading partners using secure protocols and popular encryption methods like SFTP, FTPS, HTTPS, AS2, Open PGP and ZIP with AES.

In addition, automation and simplified workflows offered in many MFT solutions streamline the process of adding and onboarding trading partners. Companies can reduce or eliminate time spent on manual file exchanges and interrupted file transfers, thus reducing administrative costs and assuring the timely delivery of mission-critical data.

To explore MFT further, download this useful checklist to help in your evaluation of vendors and find the best solution for your organization.

Managed File Transfer 101: What's in it for Me?

managed file transfer 101 - fileTransferGroupThe term MFT (Managed File Transfer) is not new but you may be hearing it more frequently.  Changes in data security and transmission regulations have brought this established technology to the forefront, but what exactly does it entail? Linoma Software recently hosted "Managed File Transfer 101", a webinar to present the essentials of MFT and what you should look for when researching an MFT solution for your organization.

Current State of File Transfer

In the presentation, Bob Luebbe, chief architect of Linoma Software, talked about the existing challenges of file transfer:

  • Old technology - such as Standard FTP - is still in use despite limitations and risks posed by data "sent in the clear".
  • Time consuming manual processes that might include the use of PC tools.  Scripts are also a legacy of old processes that continue to saddle IT departments.  Programmers create and maintain these scripts - often hundreds or thousands - to automate transfers.
  • File access is often too decentralized, making it difficult to control and manage.  Compliance has become more stringent in data management.
  • Lack of notifications critical to insure successful data movement, rather than waiting for a partner to notice missing or incomplete transfers.  Traditional logs can be helpful but are also hard to find and filter for adequate audit trails.  The big issue is meeting data privacy regulations (e.g., PCI-DSS, HIPAA, GLBA and SOX) without centralized logs.
  • Employees are still sending files unchecked.  Without a simple and secure alternative, employees find their own solutions for file portability to maintain productivity.

managed file transfer 101 - 58percent_send_to_wrong_personThis final point often involves employees storing sensitive files on their PCs and laptops, sending documents through email, and utilizing cloud storage providers - like Dropbox - without proper controls in place.  If a company doesn't have internal policies in place to address file sharing and transfers, the liability risk can be severe. In a 2013 study by Stroz Friedberg on Information Security in American Business, it was found that 3 out of 4 office workers upload work files to their personal email or cloud account.  Of this group, 37% said it was because they prefer using their personal computer while 14% said it's because taking their work laptop home was simply too much effort. The same survey highlighted the role of senior managers in an organization's data risk.  Often the worst offenders, 58% admitted to accidently sending sensitive information to the wrong person. Just over half also admitted to taking files with them after leaving a job. While MFT won't put a stop to this practice, a workflow built on the secure storage of sensitive business documents will add transparency to file access activity.

What is Managed File Transfer?

File Transfers, in their basic form, involve the sharing of files with others through FTP, email or a cloud solution.  In contrast, Managed File Transfer takes a centralized enterprise-level approach to automating and securing file transfers.  This produces a secured, scheduled and trackable file transfer. By creating transparency within your organization, files are tracked and logged as they enter and leave your network.  MFT is a smart solution for companies who understand the liability and risk involved in transmitting sensitive data.

  • Keep files safe and secure
  • Make sure files go where they are needed, when they are needed
  • Track files from start to finish for compliance purposes

To see what MFT looks like in a real world example, the team at Linoma would be happy to schedule a live demo of the GoAnywhere Suite.  You can also click here to view the entire webinar for free. Discover how simple and affordable it can be to utilize an MFT solution in your organization.

Could your FTP server pass a compliance audit?

data security compliance auditIf an auditor showed up in your office tomorrow and wanted to examine your file transfer security policies and procedures, how confident are you that your organization would earn high marks?

Take this short quiz and find out.

  1. Are you still hosting an outdated SFTP or FTP server in the public area of your network (or DMZ)?
  2. Do trading partners have access to inbound ports within your internal network to drop off or retrieve files?
  3. Are your administrative security controls granular enough to manage user access to specific files, folders and areas of the network?
  4. Can you monitor all file transfer activity and maintain detailed audit logs?
  5. Do employees have easy access to an ad hoc file transfer tool that lets them transfer files of any size, all while generating audit trails?

To find out how auditors expect you answer these questions, don't miss our next webinar:

Get Your FTP Server Into Compliance
Thursday, July 18 at Noon Central

Linoma Software's Chief Architect Bob Luebbe will show you how the GoAnywhere Services secure FTP server can work with GoAnywhere Gateway to keep sensitive data and credentials safely in your internal network and out of the DMZ.  He'll also demonstrate how the two work together to allow you to exchange files with trading partners without opening inbound ports.

Do your homework so you can prepare for a visit from the auditor.  Sign up today!  

Healthcare Industry Still Lags in Protecting Data

As healthcare information security requirements and penalties get tougher, a great deal of discussion is focused around how well the healthcare industry is securing patient data.

healthcare data security survey results

The general consensus is that the industry still has a long way to go. One of the industry's publications, Healthcare InfoSecurity, released the results of the Healthcare Information Security Today survey sponsored by RSA which took an in-depth look at security and IT practices of senior executives in the healthcare industry.

<< click on the image to learn more  


The survey reviews many information security topics including

  • Impact of a data breach
  • Security threats
  • Compliance and steps to improve security
  • Risk assessment

Some of the responses surprised us on how far healthcare companies need to go for proper HIPAA compliance. Take a look at these statistics:

  • 55% of respondents were not confident in their organization's ability to comply with HIPAA and HITECH Act regulations concerning privacy and security (grading themselves adequate or less).
  • 66% responded that their organization's ability to counter internal information security threats was adequate or less.
  • Only 47% of survey participants utilize encryption for information accessible via a virtual private network or portal.
  • 32% of respondents have not conducted a detailed information technology security risk assessment/analysis within the past year with 47% updating their risk assessment only periodically.

The good news is that the survey shows that healthcare organizations are taking steps in the right direction to improve their security practices.

  • 37% of organizations' budgets for information security are scheduled to increase over the next year.
  • 40% of respondents plan to implement audit tool or a log management solution within the next year.

When asked what their organization's top three information security priorities are for the coming year, the top responses included

  • Improving regulatory compliance efforts
  • Improving security awareness/education
  • Preventing and detecting breaches

Healthcare IT teams will need updated security policies, comprehensive training for employees, and reliable tools and solutions that can deliver functionality, ease of use, audit reporting, and efficient workflows that protect the security of confidential data at rest and in motion.

The pressure is growing, compliance audits are looming, and tackling these issues are just part of the evolution of the healthcare industry.  

Retailers Struggle to Protect Against Data Breach

data breach, data securityAs thousands of harried spouses and romantically entangled Americans scramble to find the right Valentine's Day gifts this week, many are pulling out the credit cards and ordering online or over the phone or waiting in line to swipe their debit cards at the florist or candy store.  That's a lot of personal data zooming through cyberspace, which can make the perfect gift for hackers.

One of the compliance regulations that controls how merchants and others handle credit card data is PCI DSS, established to prevent, detect and react to unauthorized access to personal payment information.  The standards are strict and penalties can be stiff.

The challenge comes when retailers, overwhelmed with busy shopping seasons and lines of customers, have so many things to manage that their vigilance protecting customer data can lose priority.  And yet, it just takes one misstep to open the doors to a data breach.

That's why it's critical that retailers and other organizations who handle credit card information regularly assess their data protection policies and processes, and implement effective encryption and data transfer tools that can automate the process of keeping data secure so they can focus on keeping their customers happy.

For more information about how Linoma Software can help keep your data safe at rest and in motion, email Solutions@LinomaSoftware.com.

New Protections for Patient Data Increase Pressure For Trading Partners to Get Compliant

Yet another layer of regulation has been added to the Health Insurance Portability and Accountability Act (HIPAA) that offers even greater protection for healthcare patients' privacy, while also defining new rights regarding how they can access their health records.

meet HIPAA compliance regulationsThe biggest change is the expansion of HIPAA compliance requirements to include trading partners and third parties who also handle patient data, such as billing companies, contractors, and more.  The U.S. Department of Health and Human Services (HHS) reports that these third parties have been responsible for several significant data breaches which is one reason the responsibility for compliance has been extended to this group.

Penalties for violating HIPAA compliance rules will be assessed based on the determined level of negligence, and can go as high as $1.5 million per incident.

Other issues addressed with the latest additions to the HIPAA regulations include more clarity in defining which types of breaches need to be reported, as well as how patients will be allowed to access and interact with their health records electronically.

If you're concerned about whether your FTP server meets compliance regulations, join us for a webinar on Thursday, Jan. 31 at Noon Central entitled "Get Your FTP Server in Compliance!"  You can learn more about the agenda for this webinar here.

For more information about the new HIPAA rules, check out the press release from HHS.

Building a Framework for HIPAA and HITECH Compliance

HITECH laws were enacted to up the ante on healthcare organizations to meet HIPAA legal compliance for data security and privacy, which, of course puts an additional burden on IT to make sure all bases are covered.  But regardless of the rigors of enacted laws, compliance doesn't happen overnight. It takes diligence and continued effort to understand and address all necessary requirements. To avoid the potential penalties of breaking HIPAA and HITECH laws, losing the confidence of patients and partners, and incurring hefty penalties, a focused, deliberate, measured plan is essential.

In addition to becoming familiar with HIPAA and HITECH regulations (a good place to start is the HHS.gov website), it's critical to meet with your security and management team and make decisions as to how your organization can best protect sensitive healthcare information. One of the first places to start this process is to fully document your department's own security policy and procedures.  This provides the foundation from which to train internal users in understanding and complying with the HIPAA and HITECH rules. In fact, having a security policies and procedures document is a requirement by HIPAA and HITECH.

If you don't currently have your security policies and procedures documented, one option for finding a good template is to Google the term, "IT Security Policies and Procedures." You will find free downloadable templates that give you a basic outline to follow.

If you already have this document in place, keep in mind it needs to be treated as a living document, to be changed and updated often as circumstances and requirements change.  Make a point to do a yearly, if not a bi-yearly, review.

Of course, documentation of security policies is only a start. You need to procure and implement proven security tools across your enterprise to protect your data -- whether the data resides on a server or is being transmitted across a network or the Internet.  A less-than exhaustive list of necessary IT security tools for ensuring compliance:  


  • Firewall - This security measure prevents intrusion into the private network from unauthorized outside viewers.
  • Email encryption  - To meet privacy requirements, email communications that contain private data must be encrypted.
  • Malware protection - This step keeps spyware/malware from infecting PCs and servers containing private data.
  • FTP communications - Managed file transfer solutions are designed specifically to provide encryption, logging and automation tools that make sure the sensitive data is secured and tracked while in motion, while reducing the time to manage all incoming and outgoing transactions
  • Backup protection - Backup files and tapes need to be encrypted and otherwise secured to make sure sensitive data can't fall into the wrong hands
  • Data shielding - Sensitive fields need to be encrypted or hidden to ensure that it can't be viewed or extracted by unauthorized viewers. A good data encryption product can also encrypt data on backup tapes as well sensitive data that might be shown in on-screen applications.
  • Physical facility protection - Server rooms, fax/copy/printer rooms, workstations all must be  considered when protecting sensitive data that is printed on paper or residing on servers or PCs.
  • Telephone and online communications - Anyone involved in telephone, online chat or discussion groups needs to be trained to be sensitive to privacy regulations and exposing sensitive information.


As you can see, there are several aspects of compliance to HITECH and other laws that need to be considered and addressed.  Healthcare professionals and organizations need to take their patients' privacy seriously, whether in the hospital, physician office or in electronic format on servers and digital communications with others.