Moved to PCI community for more visibility.
- Robert (community manager)
When you hear "need AUTH for your FTP Server", that means "FTP over SSL" (a.k.a. "FTPS") as defined by RFC 2228 (http://www.ietf.org/rfc/rfc2228.txt).
You essentially have two options for your situation:
1) Upgrade IIS FTP from version 6 to version 7, since version 7 supports a simple version of FTPS (e.g., http://learn.iis.net/page.aspx/304/using-ftp-over-ssl-in-iis-7/)
2) Switch FTP servers, especially if your auditors have been pushing you to a multi-tier architecture to separate Internet-facing and data-handling components. (Personally, I like Serv-U - http://www.serv-u.com/solutions/pci.asp - for this, but there are other options too.)
1 of 1 people found this helpful
Additionally, depending on the usage of this FTP function, you may be able to submit this as a PCI False Positive / Exception request.
For example; if their is no sensitive data stored or passed through this FTP function, their would essentialy be No Risk to the Cardholder Data Enviornment, and so this could likely be approved as a False Positive / Exception.
Thank you for your helpful feedback.