[FX.php List] PCI Compliance for FMS and OS X Server

Bob Patin bob at patin.com
Thu Jun 27 07:35:57 MDT 2013


Jonathan,

I have a client who runs a PCI compliance test every 30 days; their web apps are powered by FileMaker. They're using a 2-machine configuration and FMSA 12; the web server is Windows 8 Server.

I hired a consultant to help me go through my code, and after spending a grand on him (I won't mention the company by name, but we all know it extremely well), I saw that the ONLY thing he did was to add this to every $_POST:

htmlspecialchars($_POST['myvar']))

which apparently satisfied the PCI compliance gods. I don't know what else they may have done on the web server (if anything), but this gets them by every month.

As to FM Server: we don't capture or store any card numbers, although they do use Plastic to run cards in these venues (tourist attractions); to my knowledge they've not had to do anything with the FM Server machines at all.

Bob Patin
Longterm Solutions LLC
bob at longtermsolutions.com
615-333-6858
http://www.longtermsolutions.com
FileMaker 9, 10 & 11 Certified Developer
Member of FileMaker Business Alliance and FileMaker TechNet
--
Twitter: bobpatin
AIM: longterm1954
iChat: bobpatin
--
Expert FileMaker Consulting 
FileMaker Hosting for all versions of FileMaker


On Jun 25, 2013, at 2:37 PM, Jonathan Schwartz <jschwartz at exit445.com> wrote:

> Hi Folks,
> 
> I'm back to asking this same question again because it keeps on rearing it's ugly head...
> 
> Has anyone passed a PCI Compliance scan (for credit card security) using FIleMaker Server 11 or 12 under OS X Server?
> 
> I am running OS X Server  (10.6.8) on a machine with the latest version of  FMS 11. It fails due to old OPENSSL, Apache and TomCat. It looks like I would need to stop using the built in version oh HP for FMP Web Publishing and attempt to update the offending modules. Not fun.
> 
> It might be easier to migrate to a current OS X server and FileMaker 12, but I need to be sure that this is a guarantee of PCI Compliance.  For the sake of argument, assume that the php code itself is 100% compliant.  I'm just asking about the server environment.
> 
> For reference, the PCI scan I'm referring to is from trustwave. Passing the scan is required in order for the client to maintain their credit card Gateway.
> 
> Thanks
> 
> Jonathan 
> 
> Jonathan Schwartz
> Exit 445 Group
> jonathan at exit445.com
> www.exit445.com
> cell: 415-370-5011
> 
> 
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.iviking.org/pipermail/fx.php_list/attachments/20130627/d5d5d907/attachment.html


More information about the FX.php_List mailing list