[FX.php List] PCI Compliance for FMS and OS X Server
Bob Patin
bob at patin.com
Thu Jun 27 07:35:57 MDT 2013
Jonathan,
I have a client who runs a PCI compliance test every 30 days; their web apps are powered by FileMaker. They're using a 2-machine configuration and FMSA 12; the web server is Windows 8 Server.
I hired a consultant to help me go through my code, and after spending a grand on him (I won't mention the company by name, but we all know it extremely well), I saw that the ONLY thing he did was to add this to every $_POST:
htmlspecialchars($_POST['myvar']))
which apparently satisfied the PCI compliance gods. I don't know what else they may have done on the web server (if anything), but this gets them by every month.
As to FM Server: we don't capture or store any card numbers, although they do use Plastic to run cards in these venues (tourist attractions); to my knowledge they've not had to do anything with the FM Server machines at all.
Bob Patin
Longterm Solutions LLC
bob at longtermsolutions.com
615-333-6858
http://www.longtermsolutions.com
FileMaker 9, 10 & 11 Certified Developer
Member of FileMaker Business Alliance and FileMaker TechNet
--
Twitter: bobpatin
AIM: longterm1954
iChat: bobpatin
--
Expert FileMaker Consulting
FileMaker Hosting for all versions of FileMaker
On Jun 25, 2013, at 2:37 PM, Jonathan Schwartz <jschwartz at exit445.com> wrote:
> Hi Folks,
>
> I'm back to asking this same question again because it keeps on rearing it's ugly head...
>
> Has anyone passed a PCI Compliance scan (for credit card security) using FIleMaker Server 11 or 12 under OS X Server?
>
> I am running OS X Server (10.6.8) on a machine with the latest version of FMS 11. It fails due to old OPENSSL, Apache and TomCat. It looks like I would need to stop using the built in version oh HP for FMP Web Publishing and attempt to update the offending modules. Not fun.
>
> It might be easier to migrate to a current OS X server and FileMaker 12, but I need to be sure that this is a guarantee of PCI Compliance. For the sake of argument, assume that the php code itself is 100% compliant. I'm just asking about the server environment.
>
> For reference, the PCI scan I'm referring to is from trustwave. Passing the scan is required in order for the client to maintain their credit card Gateway.
>
> Thanks
>
> Jonathan
>
> Jonathan Schwartz
> Exit 445 Group
> jonathan at exit445.com
> www.exit445.com
> cell: 415-370-5011
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.iviking.org/pipermail/fx.php_list/attachments/20130627/d5d5d907/attachment.html
More information about the FX.php_List
mailing list