Jump to content
Claris Engage 2025 - March 25-26 Austin Texas ×

This topic is 6387 days old. Please don't post here. Open a new topic instead.

Recommended Posts

Posted (edited)

Hey all-

My boss wants my newly created FileMaker Sales System to store the credit card info of our customers. Naturally, this makes me nervous. What is the common wisdom on this subject?

Is storing the number in a field and then guarding our FileMaker log-in passwords an acceptable level of security? Is there an additional level of encryption necessary (and is there even any encryption of the data in FileMaker)? Should we not store them at all?

Thanks in advance for any input,

Nate

Edited by Guest
Posted

Some people will tell you not to store the cards at all. I say go ahead, but you should use encryption. We currently use the Troi Encryptor plugin. That way, even if someone is able to export the data, it will be scrambled and unusable.

Posted

Thanks for the reply Tom.

So using an encryption plug-in is the way to go? That's what I was thinking. But, correct me if I'm wrong, if a malicious user gains access to our FileMaker system they will be able to decrypt the credit card info (using the plug-in)? I.e., if they have our database file they will not be able to extract credit card info, but if they have the database and the password they will? I'm just trying to clarify the level of security here.

Thanks again,

Nate

Posted

I'm not sure I'd chance even that since liability includes fines and penalties that, I believe, begin at $50,000 per incident, i.e., each compromised credit card. This is one reason that the receipts that credit card machines print out now show only the last four digits of the card number. Storing the untruncated card number in a database is really unecessary and puts you and your business at risk. If you're not alreaady familiar with them, the PCI Data Security Standards are well worth checking out. See, for example, http://www.mastercard.com/us/wce/PDF/10171_MasterCard_Industry_Letter.pdf.

Posted

...if a malicious user gains access to our FileMaker system they will be able to decrypt the credit card info (using the plug-in)? I.e., if they have our database file they will not be able to extract credit card info, but if they have the database and the password they will?

In our solution, the only way to decrypt the card numbers is one at a time. It also writes a history log every time a card number is accessed. No end-user has access to scripts so the only way someone could steal the list of card numbers would be to physically have access to the file in single user mode and hack the password, or if they somehow got access to the developer password. If your users have access to scripts then the security risk would be too great.

Storing the untruncated card number in a database is really unecessary and puts you and your business at risk. If you're not already familiar with them, the PCI Data Security Standards are well worth checking out.

Your point is well taken Bozkid, however if you have a need to do recurring billing then you don't have a lot of choice. We follow the guidelines below (quoted from your link, thank you for that).

Do not store the following under any circumstance:

– Full contents of any track from the magnetic stripe on the back of the card.

– Card-validation code—the three-digit value printed on the signature panel of a card.

Store only that portion of the customer’s account information that is essential to your business — i.e. name, account number or expiration date.

Posted

If you don't have to store the card numbers, then don't. if you do, the encrypt thgem with a stong algorithm. And do not store the key in the file.

Steven

This topic is 6387 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.