[FX.php List] [ OFF ] Getting to PCI compliance

John May jmaymailing at pointinspace.com
Thu May 19 12:13:37 MDT 2011 

One thing to note too that there is a difference between what is 
*required* and what the PCI company would *like* you to do.  Very often 
a very large difference.  Only the required stuff is what is required to 
obtain certification, in my experience.

They're very much like the HR person trying to hire a tech person that 
only knows the catch-phrase certifications to look for - they don't 
necessarily understand what they're talking about.

	- John


On 5/18/11 11:06 AM, Gareth Evans wrote:
> The report will tell you what needs to be addressed. From my experience
> most of the stuff that needs to be done is on the server side of things
> like patching apache/php, installing firewalls/antivirus, blocking
> unused ports etc. From an application standpoint the usual security
> guidelines apply like forcing ssl on login/order entry forms, enforcing
> strong passwords, filtering data, disabling autocomplete on certain form
> fields etc. If you're storing card data then there are requirements for
> how it is stored in your systems and how employees can access that data.
> There is also an admin portion which requires drafting a security policy
> if you do not have one already.
>
> The following link will have some general info about it, although if you
> don't manage the servers there may not be too much for to do depending
> on how you've written the app.
> https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
>
> Cheers,
> Gareth
>
> On 2011-05-18, at 9:52 AM, Bob Patin wrote:
>
>> One of my clients has received a PCI compliance letter, and now I'm
>> being asked to pull their cart into compliance.
>>
>> From what little I've read about it so far, it appears that I need to
>> block the submission of certain characters -- the < , > , and some
>> other symbols -- but is there more than that to be done to get to
>> compliance?
>>
>> From what I can tell from the report they received, the client's web
>> server needs a PHP update, but that's not my department... if anyone's
>> already trod down this road, I'd appreciate any wisdom.
>>
>> Thanks,
>>
>>
>> Bob Patin
>> Longterm Solutions
>>

-- 

-------------------------------------------------------------------
John May : President                   http://www.pointinspace.com/
Point In Space Internet Solutions             jmay at pointinspace.com

              Twitter: http://twitter.com/pointinspace/
            Facebook: http://www.facebook.com/PointInSpace/

         Professional FileMaker Pro, MySQL, PHP & Lasso Hosting
           on shared, virtual and hardware dedicated servers

More information about the FX.php_List mailing list