[FX.php List] [ OFF ] Getting to PCI compliance

Thu May 19 12:50:29 MDT 2011

John,

Yes, I saw that as well; some of it involved updating PHP to a newer version of PHP 5, and there was something about the cert that they have, but those will be someone else's to deal with. What I think I have to do is add a regex expression that will filter certain characters from form inputs; since I'm not storing card info, that's a non-issue for us.

My client's accounting person got freaked by the $50K warning for each infraction, so of course they dumped the report in my lap to sort out...

Bob Patin
Longterm Solutions
bob at longtermsolutions.com
615-333-6858
http://www.longtermsolutions.com
iChat: bobpatin
FileMaker 9, 10 & 11 Certified Developer
Member of FileMaker Business Alliance and FileMaker TechNet
--
Expert FileMaker Consulting 
FileMaker Hosting for all versions of FileMaker
PHP • Full email services • Free DNS hosting • Colocation • Consulting:

On May 19, 2011, at 1:13 PM, John May wrote:

> One thing to note too that there is a difference between what is *required* and what the PCI company would *like* you to do.  Very often a very large difference.  Only the required stuff is what is required to obtain certification, in my experience.
> 
> They're very much like the HR person trying to hire a tech person that only knows the catch-phrase certifications to look for - they don't necessarily understand what they're talking about.
> 
> 	- John
> 
> 
> On 5/18/11 11:06 AM, Gareth Evans wrote:
>> The report will tell you what needs to be addressed. From my experience
>> most of the stuff that needs to be done is on the server side of things
>> like patching apache/php, installing firewalls/antivirus, blocking
>> unused ports etc. From an application standpoint the usual security
>> guidelines apply like forcing ssl on login/order entry forms, enforcing
>> strong passwords, filtering data, disabling autocomplete on certain form
>> fields etc. If you're storing card data then there are requirements for
>> how it is stored in your systems and how employees can access that data.
>> There is also an admin portion which requires drafting a security policy
>> if you do not have one already.
>> 
>> The following link will have some general info about it, although if you
>> don't manage the servers there may not be too much for to do depending
>> on how you've written the app.
>> https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
>> 
>> Cheers,
>> Gareth
>> 
>> On 2011-05-18, at 9:52 AM, Bob Patin wrote:
>> 
>>> One of my clients has received a PCI compliance letter, and now I'm
>>> being asked to pull their cart into compliance.
>>> 
>>> From what little I've read about it so far, it appears that I need to
>>> block the submission of certain characters -- the < , > , and some
>>> other symbols -- but is there more than that to be done to get to
>>> compliance?
>>> 
>>> From what I can tell from the report they received, the client's web
>>> server needs a PHP update, but that's not my department... if anyone's
>>> already trod down this road, I'd appreciate any wisdom.
>>> 
>>> Thanks,
>>> 
>>> 
>>> Bob Patin
>>> Longterm Solutions
>>> 
> 
> -- 
> 
> -------------------------------------------------------------------
> John May : President                   http://www.pointinspace.com/
> Point In Space Internet Solutions             jmay at pointinspace.com
> 
>             Twitter: http://twitter.com/pointinspace/
>           Facebook: http://www.facebook.com/PointInSpace/
> 
>        Professional FileMaker Pro, MySQL, PHP & Lasso Hosting
>          on shared, virtual and hardware dedicated servers
> 
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.iviking.org/pipermail/fx.php_list/attachments/20110519/b5b27064/attachment-0001.html