PCI DSS Requirement 1.1.6 states that firewalls and router configurations must include a business justification for the use of insecure protocols over the network, and that appropriate security features must be documented and implemented for the use of such protocols. Additionally per PCI DSS Requirement 2.2.3, system configuration standards must include implementation of security features for any insecure protocols.
Examples of security features may include use of secure FTP software, or tunneling the FTP connection over a secure channel, such as IPSec, SSH or TLS.
(Note: PCI DSS Requirement numbers refer to PCI DSS version 3)
Article Number 1076