IMPORTANT NOTICE

As part of our Equifax security policy, Equifax MFT PGP keys expire every two years to ensure the protection of confidential data. The current set of MFT Public PGP keys will expire on Sunday, 04/14/2024, 11:59 PM ET (PGP Key IDs provided below).

Links to the new keys and details on 2024 key rotation schedule provided below.

PGP File Encryption

PGP combines some of the best features of modern cryptography, including compression, digital signatures and public key encryption.

Although Equifax Data Gateway Services (DGS) only utilizes encrypted protocols for its batch file transfers (Connect Direct, HTTPS, SFTP), PGP encrypting your data files prior to transfer adds an additional layer of data protection.

Files Batch File Transfers via Equifax DGS

Equifax security mandates that all batch file transfers with external clients/vendors must be PGP encrypted with a PGP key that meets the below requirements.

  1. REQUIRED - PGP key length is 2048+ bits.
  2. REQUIRED - PGP key is created in RSA format.
  3. REQUIRED - Public PGP key block contains both primary and sub keys.
  4. REQUIRED - PGP key contains an expiration date no later than 2 years after create date.
  5. REQUIRED - Features list includes MDC
  6. REQUIRED - Cipher list includes AES256
  7. PREFERRED - AEAD feature is removed

Asymmetric PGP Encryption

Equifax requires all PGP operations to utilize asymmetric encryption.  This method of encryption requires a public/private PGP key pair.  

  • Public key is used to encrypt data files.
  • Private key is used to decrypt data files.  

PGP Encryption Process (High Level)

The following high level steps are necessary to use PGP to encrypt files before sending to Equifax:

  1. Obtain and install PGP software (see https://www.openpgp.org or https://www.gnupg.org for more information on compatible software products)
    1. The below tutorials provide step by step guidance on how clients can implement Equifax PGP standards using OpenPGP.
      1. Equifax DGS PGP Tutorial- Command Line - Walkthrough uses command line as the interface for OpenPGP.
      2. Equifax DGS PGP Tutorial- Kleopatra - Walkthrough uses Kleopatra, a user friendly interface for OpenPGP.
    2. IMPORTANT NOTE: Equifax does not recommend any specific File Encryption Software. We do suggest, however, that its Trading Partners that are unfamiliar with PGP encryption choose a software package that has its own help desk that provides support for any technical issues.
  2. Download the Equifax DGS public keys from the links provided below.
  3. Import each public key into your key ring and configure as follows:
    1. Encrypting files sent to Equifax DGS using AES 256 encryption cipher algorithm.
    2. Certify as the signing key for encrypted files received from Equifax DGS.

General Guidelines

  1. Compression is built into the encryption, so it is not necessary to zip your data files before or after encryption.
  2. Issued keys will expire every 2 years.

Download Public Key (New Version, 2048 bit)

4096_bit_EFX_MFT_UAT_Public_PGP_0xB9F317AF_Exp_04202026 - Expires Monday, 4/20/2026, 11:59 PM ET
4096_bit_EFX_MFT_PRD_Public_PGP_0xF48B2A8C_Exp_04202026 - Expires Monday, 4/20/2026, 11:59 PM ET

Equifax MFT PGP Rotation Schedule - 2024

  • 02/01/2024 – 4/14/2024, 11:59 PM ET
    • Equifax MFT will activate the new PGP keys by 01/26/2024, 9:00 AM ET.
      • Clients/Vendors will be able to PGP encrypt inbound files sent to Equifax MFT with the current or new PGP keys.
      • Equifax MFT will continue to sign outbound PGP encrypted files sent to clients/vendors with the current PGP keys.
    • Equifax suggests its partners use this time for implementation and testing.
    • Clients can coordinate testing with the new PGP key by emailing mft_pgp_support@equifax.com.
  • 04/15/2024, 12:00 - 2:00 AM ET
    • The current PGP will expire on 4/15/2024 12:00 AM, and no longer be usable.
      • Clients/Vendors must PGP encrypt inbound files sent to Equifax MFT with the new PGP keys, no exceptions.
      • Equifax MFT will sign outbound PGP encrypted files sent to clients/vendors with the new PGP keys, no exceptions.
    • Equifax suggests its partners make all necessary changes to their PGP encryption/decryption process beforehand to ensure no negative impact to any live file transfers.