PCI DSS 4.0 — LiquidFiles Compliance Mapping
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements
for organisations that store, process or transmit payment card data. PCI DSS 4.0 (effective
March 2024, with all requirements mandatory from March 2025) is organised into 12
requirements under six security goals. This page maps those requirements to the capabilities
LiquidFiles provides.
A downloadable spreadsheet with all the control mappings is available at the
bottom of this page.
Why PCI DSS Matters for File Transfer
PCI DSS becomes relevant for LiquidFiles when the system is used to transfer files that
contain cardholder data or other payment-related information. Any system within the
Cardholder Data Environment (CDE) must meet PCI DSS requirements, and a file transfer
system used to move payment data falls within scope.
LiquidFiles is a self-hosted product. PCI DSS compliance is your organisation's
responsibility — we don't manage your systems, and we have no access to your data
or your CDE. However, LiquidFiles provides the technical capabilities that PCI DSS
auditors (QSAs) look for in a file transfer system.
How to Use This Page
PCI DSS 4.0 has 12 requirements grouped under six goals:
- Build and maintain a secure network and systems (Req 1–2)
- Protect account data (Req 3–4)
- Maintain a vulnerability management programme (Req 5–6)
- Implement strong access control measures (Req 7–9)
- Regularly monitor and test networks (Req 10–11)
- Maintain an information security policy (Req 12)
For each requirement, we describe the product capability LiquidFiles provides. How you
configure and operate these capabilities within your CDE is part of your PCI DSS compliance
programme and is your responsibility.
Requirement 1: Install and Maintain Network Security Controls
| Control Area |
LiquidFiles Capability |
| Firewall / Network Controls |
LiquidFiles includes a built-in Netfilter firewall configured to only expose
necessary ports (HTTP/HTTPS by default). Internal services such as PostgreSQL are
configured to not listen on any TCP port — even with the firewall disabled, no
vulnerable services are exposed. See
Built-in Firewall. |
| Network Segmentation |
Customer responsibility. Segmenting your LiquidFiles system within
your CDE is your responsibility. LiquidFiles supports admin network restrictions
to separate administrative access from user access. |
Requirement 2: Apply Secure Configurations to All System Components
| Control Area |
LiquidFiles Capability |
| Secure Defaults |
LiquidFiles is delivered as a hardened virtual appliance. The underlying OS is a
minimal Ubuntu installation. No vendor-supplied default passwords are used —
administrator credentials are set during initial configuration. Default
configurations are secure (TLS only, strong ciphers, firewall enabled). See
Hardening LiquidFiles. |
| System Hardening |
Only required packages and services are installed. The appliance model prevents
installation of arbitrary software. Ubuntu Pro is supported for additional hardening
(CIS benchmarks, DISA-STIG). See
Platform Security. |
Requirement 3: Protect Stored Account Data
| Control Area |
LiquidFiles Capability |
| Data Retention and Disposal |
Configurable automatic message and file deletion with retention policies per group.
System-wide message retention policy (default 365 days). Manual deletion by
administrators. Files are automatically purged when messages expire. |
| Encryption at Rest |
Full disk encryption (LUKS/AES-256) available for the virtual appliance. FIPS 140-3
mode available via Ubuntu Pro for validated cryptographic modules. Passwords stored
using bcrypt hashing. See
Full Disk Encryption and
FIPS Mode. |
Requirement 4: Protect Cardholder Data with Strong Cryptography During
Transmission
| Control Area |
LiquidFiles Capability |
| Encryption in Transit |
All web traffic encrypted with TLS 1.2/1.3 using AES-256 with strong cipher suites.
Weak protocols and ciphers are disabled by default. HSTS supported and recommended.
Default configuration achieves an A+ rating on SSL Labs. SFTP/FTPS available for
automated file transfer. See
Web Server, SSL and Transmit
Encryption and
SSL Labs Validation. |
Requirement 5: Protect All Systems and Networks from Malicious Software
| Control Area |
LiquidFiles Capability |
| Antivirus / Anti-Malware |
ClamAV antivirus is built in and enabled by default. Virus signatures are updated
every 2 hours. All uploaded files are scanned automatically. Custom file scanning
via Attachment Upload
Actionscripts and
Share Files Upload
Actionscripts enables integration with additional AV engines, DLP solutions or
content inspection tools. See
Antivirus Scanning. |
Requirement 6: Develop and Maintain Secure Systems and Software
| Control Area |
LiquidFiles Capability |
| Vulnerability Management |
Automatic daily security updates enabled by default. Ubuntu CVE database checking.
Ubuntu Pro for extended security maintenance. LiquidFiles responds to reported
vulnerabilities within 24–48 hours. Dependabot and GitHub alerts monitor all
third-party dependencies. See
System Vulnerabilities. |
| Secure Development |
TDD methodology. Automated security scanning with Brakeman (Rails), RuboCop (Ruby)
and ESLint (JavaScript). GitHub Actions CI runs full test suite and scanners on every
build — builds fail if any issue is detected. Pull request code review. OWASP
Top 10 and SANS Top 25 guidelines followed. See
Secure Development Practices. |
| Web Application Security |
Built on Ruby on Rails with built-in protection against SQL Injection, XSS and
CSRF. Regular external scanning with OWASP ZAP. Customers encouraged to perform
their own web application security testing. See
Web Application Framework. |
Requirements 7–9: Implement Strong Access Control Measures
| Req |
Control Area |
LiquidFiles Capability |
| 7 |
Restrict Access by Business Need |
Role-based access (Sysadmin/Admin/User). Group-based permissions control who can
send to whom. LDAP/Active Directory integration for centralised access management.
Admin network restrictions limit administrative access to designated networks.
Configurable user auto-expiration for inactive accounts. |
| 8 |
Identify Users and Authenticate Access |
Unique user accounts (identified by email). Configurable
password policy with CrackLib
dictionary validation. Password expiration. Multi-factor authentication (TOTP, SMS,
Duo Security) enforceable per group — meets PCI DSS 4.0 MFA requirements
(Req 8.4.2). SAML2 SSO. Brute force protection. Passwords stored using bcrypt. See
Strong Authentication. |
| 9 |
Restrict Physical Access |
Customer responsibility. Physical access to the systems hosting
LiquidFiles is your responsibility. LiquidFiles supports full disk encryption
(LUKS/AES-256) to protect data on physical media. |
Requirement 10: Log and Monitor All Access to System Components and
Cardholder Data
| Control Area |
LiquidFiles Capability |
| Audit Logging |
All uploads, downloads, login activity (successful and failed) and admin activity
are logged. System log available in Admin → System Log. Message log with
configurable retention (default 365 days). PCI DSS requires at least 12 months of
audit trail history — use syslog forwarding to ensure long-term retention. See
Logging and Auditing. |
| Log Forwarding and SIEM |
Syslog forwarding to external servers for integration with SIEM solutions.
PCI DSS 4.0 requires automated audit log reviews (Req 10.4.1.1) — syslog
forwarding enables this through your SIEM platform. |
| Time Synchronization |
NTP configured by default to ensure accurate timestamps across all log entries. |
Requirement 11: Test Security of Systems and Networks Regularly
| Control Area |
LiquidFiles Capability |
| Vulnerability Scanning |
LiquidFiles is regularly scanned with external tools: SSL Labs, SecurityHeaders.com,
OWASP ZAP and OpenVAS. Customers are encouraged to perform their own vulnerability
assessments and penetration tests. See
External Scanners. |
| Penetration Testing |
Customer responsibility. You should include your LiquidFiles
system in your regular penetration testing programme. Common findings are documented
in Frequent
Responses After Security Reviews. |
Requirement 12: Support Information Security with Organisational Policies
and Programmes
| Control Area |
LiquidFiles Capability |
| Security Policies |
Customer responsibility. Your organisation's information security
policies, security awareness training, incident response plans, and PCI DSS scope
documentation. Not addressed by LiquidFiles as a product. |
| Vendor Management |
LiquidFiles is a product vendor, not a service provider. We don't store, process
or transmit cardholder data on your behalf. See
Vendor Onboarding Forms for
our position on vendor questionnaires. |
Customer Responsibility
PCI DSS compliance is your organisation's responsibility. The following areas cannot be
addressed by LiquidFiles as a product vendor:
- Scoping — determining whether your LiquidFiles system is within
your CDE and which PCI DSS requirements apply.
- Network segmentation — your network architecture and how
LiquidFiles fits within your CDE.
- Physical security (Req 9) — physical access to your data centre
and equipment.
- Configuration — how you have configured LiquidFiles. We can
describe capabilities and defaults, not your actual settings.
- Log management — your SIEM configuration, automated log review
and 12-month retention.
- Penetration testing (Req 11) — your testing programme and
remediation process.
- Policies and training (Req 12) — your security policies,
awareness training and incident response plans.
For more context on this distinction, see our
Vendor Onboarding Forms page.
Download
A spreadsheet with the PCI DSS 4.0 requirement mapping for LiquidFiles is available for
download.
Download PCI DSS
Control Mapping (CSV)
