[FX.php List] [ OFF ] Getting to PCI compliance

Jonathan Schwartz jschwartz at exit445.com
Wed May 18 15:32:42 MDT 2011 

Hi Bob,

I am in the midst of working with one of my clients on PCI compliance 
now as well.  However, in my case, the project is to pro-actively 
address compliance before the letter comes.  I've been reviewing 
alternatives for some time.

Here is my feedback on the subject as a FileMaker and web publishing 
developer...not a security specialist. Your mileage may vary.

PCI Compliance is lot like doing one's taxes. You understand that is 
a requirement to pay. There are lots of guides and opinions on how to 
interpret the requirement. Unless you are an expert, the road will be 
a tough one, and mistakes are likely.  And while the US's tax agency 
, the IRS,  is not usually thought of as lightweight, the penalties 
for PCI breaches is huge...$50,000 per incident.

OK..enough of the tax analogy.

There is a list of 12 broad requirements that comprise PCI 
compliance.  They were just updated in October 2010 and made even 
more stringent.

In essence, they require the safe handling of credit card data from 
end to end.  This is a good starting point: 
https://www.pcisecuritystandards.org/security_standards/index.php

It's not an easy read.  The requirements branch of depending on the 
size of the company and transaction rates. It covers areas from 
physical security, network security, employee training, handling and 
storage of data, encryption, logging, testing and on and on.

Here's a quick test: Do you store the CVC number?  This is absolutely 
positively forbidden. The CVC should be used only to run immediate 
transactions and discarded.

Back to reality...I boiled down the options to three:
1) Store credit cards locally at the company and deal with each 
aspect of security.
2) Store credit cards on the cloud. Recent hacks to SONY and others 
made me drop that option.
3) Use Authorize.net's CIM integration method which completely 
removes all credit card data from client hands.

Options 1 and 2 require in-depth knowledge of security practices, 
which I do not have.

Option 3, CIM,  is a secure online system where clients store credit 
card data online in their system and refer to it as needed by a 
reference number.  Once entered, no credit card numbers are ever 
visible to the client, their employees or anyone else.

There are at least two ways to interact with CIM:
1) PHP scripts via the Authorize.net gateway.
2) FMP native via at plugin via the Authorizenet gateway.

Between these two tools, it covers both native and web publishing.

Bottom line for me...unless my clients have teams of security experts 
that will assume the responsibility for creating and maintaining a 
PCI compliant environment...and how many FMP clients fall into this 
category?...I am going with a solution that shifts that 
responsibility to a compliant third party: Auth.net.

Well, that's my take on PCI compliance.

Hope this is help to you and others going down this road....


Regards,

Jonathan






>One of my clients has received a PCI compliance letter, and now I'm 
>being asked to pull their cart into compliance.
>
>From what little I've read about it so far, it appears that I need 
>to block the submission of certain characters -- the < , > , and 
>some other symbols -- but is there more than that to be done to get 
>to compliance?
>
>From what I can tell from the report they received, the client's web 
>server needs a PHP update, but that's not my department... if 
>anyone's already trod down this road, I'd appreciate any wisdom.
>
>Thanks,
>
>
>Bob Patin
>Longterm Solutions
><mailto:bob at longtermsolutions.com>bob at longtermsolutions.com
>615-333-6858
><http://www.longtermsolutions.com/>http://www.longtermsolutions.com
>iChat: bobpatin
>FileMaker 9, 10 & 11 Certified Developer
>Member of FileMaker Business Alliance and FileMaker TechNet
>--
>Expert FileMaker Consulting
>FileMaker Hosting for all versions of FileMaker
>PHP * Full email services * Free DNS hosting * Colocation * Consulting
>:
>
>
>_______________________________________________
>FX.php_List mailing list
>FX.php_List at mail.iviking.org
>http://www.iviking.org/mailman/listinfo/fx.php_list


-- 
Jonathan Schwartz
Exit 445 Group
jonathan at exit445.com
http://www.exit445.com
415-370-5011
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.iviking.org/pipermail/fx.php_list/attachments/20110518/aa9a20af/attachment.html

More information about the FX.php_List mailing list