Is there a recommended way for preparing and sending the batch/session file(s) to Vantiv? What I mean is that according to PCI requirements, we can't simply render the constructed XML request to a temp file, and then [s]FTP that to Vantiv, since the PAN data can never be stored on disk unencrypted. The PCI spec states:
Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
- One-way hashes based on strong cryptography (hash must be of the entire PAN)
- Truncation (hashing cannot be used to replace the truncated segment of PAN)
- Index tokens and pads (pads must be securely stored)
- Strong cryptography with associated key-management processes and procedures
It's almost as if we have to "stream" the file to Vantiv's FTP directory in-memory, to avoid writing the PAN to disk unencrypted.
Even if we're using a secure protocol, such as sFTP, PCI forbids us from writing the PAN to the file, even if it's temporary. That being said, what's the recommended way for preparing and sending a batch/session file to Vantiv?
We're using .NET, and have been leveraging the Vantiv .NET SDK (Developers | Vantiv )
Hi Matt,
Sorry for the delay, but I am working to find someone from our eCommerce team to address your question. We will get back to you later today.
Thank you,
Chris