> The company I work for is required to get PCI (Payment Card > something-or-other) certified in order to keep doing some of the things > that we are doing with credit card payments.
Payment Card Industry Data Security Standard [snip] > However, now that we need this cert, one of the few things still > standing in the way is the requirement that we set up the FTP server > to lockout (for 30min.) any account that fails to login 3 times in a > row. You mean besides the fact that you're running FTP at all, right? - PCI requires that all passwords are encrypted in transmission, and FTP doesn't do this. - Depending on how you interpret the wording, PCI either prohibits or strongly discourages the use of FTP from 'untrusted' networks/hosts Consider replacing your FTP solution with scp/sftp. -Ryan -- Ryan T. McBride, CISSP - [EMAIL PROTECTED] Countersiege Systems Corporation - http://www.countersiege.com PGP key fingerprint = 5A63 31A0 B2E0 4A64 3D16 C474 99A7 BEFE F9BA A8E0