[FX.php List] [ OFF ] Getting to PCI compliance
Bob Patin
bob at patin.com
Thu May 19 12:50:29 MDT 2011
John,
Yes, I saw that as well; some of it involved updating PHP to a newer version of PHP 5, and there was something about the cert that they have, but those will be someone else's to deal with. What I think I have to do is add a regex expression that will filter certain characters from form inputs; since I'm not storing card info, that's a non-issue for us.
My client's accounting person got freaked by the $50K warning for each infraction, so of course they dumped the report in my lap to sort out...
Bob Patin
Longterm Solutions
bob at longtermsolutions.com
615-333-6858
http://www.longtermsolutions.com
iChat: bobpatin
FileMaker 9, 10 & 11 Certified Developer
Member of FileMaker Business Alliance and FileMaker TechNet
--
Expert FileMaker Consulting
FileMaker Hosting for all versions of FileMaker
PHP • Full email services • Free DNS hosting • Colocation • Consulting:
On May 19, 2011, at 1:13 PM, John May wrote:
> One thing to note too that there is a difference between what is *required* and what the PCI company would *like* you to do. Very often a very large difference. Only the required stuff is what is required to obtain certification, in my experience.
>
> They're very much like the HR person trying to hire a tech person that only knows the catch-phrase certifications to look for - they don't necessarily understand what they're talking about.
>
> - John
>
>
> On 5/18/11 11:06 AM, Gareth Evans wrote:
>> The report will tell you what needs to be addressed. From my experience
>> most of the stuff that needs to be done is on the server side of things
>> like patching apache/php, installing firewalls/antivirus, blocking
>> unused ports etc. From an application standpoint the usual security
>> guidelines apply like forcing ssl on login/order entry forms, enforcing
>> strong passwords, filtering data, disabling autocomplete on certain form
>> fields etc. If you're storing card data then there are requirements for
>> how it is stored in your systems and how employees can access that data.
>> There is also an admin portion which requires drafting a security policy
>> if you do not have one already.
>>
>> The following link will have some general info about it, although if you
>> don't manage the servers there may not be too much for to do depending
>> on how you've written the app.
>> https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
>>
>> Cheers,
>> Gareth
>>
>> On 2011-05-18, at 9:52 AM, Bob Patin wrote:
>>
>>> One of my clients has received a PCI compliance letter, and now I'm
>>> being asked to pull their cart into compliance.
>>>
>>> From what little I've read about it so far, it appears that I need to
>>> block the submission of certain characters -- the < , > , and some
>>> other symbols -- but is there more than that to be done to get to
>>> compliance?
>>>
>>> From what I can tell from the report they received, the client's web
>>> server needs a PHP update, but that's not my department... if anyone's
>>> already trod down this road, I'd appreciate any wisdom.
>>>
>>> Thanks,
>>>
>>>
>>> Bob Patin
>>> Longterm Solutions
>>>
>
> --
>
> -------------------------------------------------------------------
> John May : President http://www.pointinspace.com/
> Point In Space Internet Solutions jmay at pointinspace.com
>
> Twitter: http://twitter.com/pointinspace/
> Facebook: http://www.facebook.com/PointInSpace/
>
> Professional FileMaker Pro, MySQL, PHP & Lasso Hosting
> on shared, virtual and hardware dedicated servers
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.iviking.org/pipermail/fx.php_list/attachments/20110519/b5b27064/attachment-0001.html
More information about the FX.php_List
mailing list